Transcription
Symantec Encryption ManagementServerAdministrator's Guide3.4
The software described in this book is furnished under a license agreement and may be used only inaccordance with the terms of the agreement.Version 3.4.2. Last updated: March 2018.Legal NoticeCopyright (c) 2018 Symantec Corporation. All rights reserved.Symantec, the Symantec Logo, the Checkmark Logo,PGP, Pretty Good Privacy, and the PGP logo aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.Java is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of theirrespective owners.This Symantec product may contain third party software for which Symantec is required to provideattribution to the third party ("Third Party Programs"). Some of the Third Party Programs are available underopen source or free software licenses. The License Agreement accompanying the Licensed Software does notalter any rights or obligations you may have under those open source or free software licenses. For moreinformation on the Third Party Programs, please see the Third Party Notice document for this Symantecproduct that may be available at as/, the Third PartyLegal Notice Appendix that may be included with this Documentation and/or Third Party Legal NoticeReadMe File that may accompany this Symantec product.The product described in this document is distributed under licenses restricting its use, copying, distribution,and decompilation/reverse engineering. No part of this document may be reproduced in any form by anymeans without prior written authorization of Symantec Corporation and its licensors, if any.THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONSAND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FORINCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, ORUSE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TOCHANGE WITHOUT NOTICE.The Licensed Software and Documentation are deemed to be commercial computer software as defined inFAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial ComputerSoftware - Restricted Rights" and DFARS 227.7202, et seq. “Commercial Computer Software and CommercialComputer Software Documentation”, as applicable, and any successor regulations. Any use, modification,reproduction release, performance, display or disclosure of the Licensed Software and Documentation by theU.S. Government shall be solely in accordance with the terms of this Agreement.Symantec Corporation350 Ellis StreetMountain View, CA 94043Symantec Home Page (https://support.symantec.com/en US/dpl.62369.html)
ContentsIntroductionWhat is Symantec Encryption Management Server?Symantec Encryption Management Server Product FamilyWho Should Read This GuideCommon Criteria EnvironmentsUsing the Symantec Encryption Management Server with the Command LineSymbolsGetting AssistanceGetting product informationTechnical SupportContacting Technical SupportLicensing and RegistrationCustomer SupportSupport Agreement ResourcesThe Big PictureImportant TermsRelated ProductsSymantec Encryption Management Server ConceptsSymantec Encryption Management Server FeaturesSymantec Encryption Management Server User TypesInstallation OverviewAbout Open PortsTCP PortsUDP Ports11122233344555777891112171718About Naming your Symantec Encryption Management Server21How to Name Your Symantec Encryption Management ServerNaming Methods2122Understanding the Administrative InterfaceSystem RequirementsLogging InThe System Overview PageManaging AlertsLogging In For the First TimeLicensing Your SoftwareOverviewLicensing a Symantec Encryption Management ServerLicense Authorization23232325262629292929
iiContentsLicensing the Mail Proxy FeatureLicensing Symantec Encryption Desktop3030Operating in Learn Mode31Purpose of Learn ModeChecking the LogsManaging Learn Mode313232Managed DomainsAbout Managed DomainsAdding Managed DomainsDeleting Managed DomainsUnderstanding KeysChoosing a Key Mode for Key ManagementChanging Key ModesHow Symantec Encryption Management Server Uses Certificate Revocation ListsKey Reconstruction BlocksManaged Key PermissionsManaging Organization KeysAbout Organization KeysOrganization KeyInspecting the Organization KeyRegenerating the Organization KeyImporting an Organization KeyOrganization CertificateInspecting the Organization CertificateExporting the Organization CertificateDeleting the Organization CertificateGenerating the Organization CertificateImporting the Organization CertificateRenewing the Organization CertificateAdditional Decryption Key (ADK)Importing the ADKInspecting the ADKDeleting the ADKExternal User Root KeyGenerating the External User Root KeyImporting the External User Root KeyDeleting the External User Root KeyExternal User Root CertificateGenerating the External User Root CertificateImporting the External User Root CertificateDeleting the External User Root CertificateVerified Directory KeyImporting the Verified Directory KeyInspecting the Verified Directory 74848494949495050515152525253
ContentsDeleting the Verified Directory KeyAdministering Managed KeysViewing Managed KeysManaged Key InformationEmail ymmetric Key SeriesSymmetric KeysCustom Data ObjectsExporting Consumer KeysExporting the Managed Key of an Internal UserExporting the Managed Key of an External UserExporting Symantec Encryption Verified Directory User KeysExporting the Managed Key of a Managed DeviceDeleting Consumer KeysDeleting the Managed Key of an Internal UserDeleting the Managed Key of an External UserDeleting the Key of a Symantec Encryption Verified Directory UserDeleting the Managed Key of a Managed DeviceApproving Pending KeysRevoking Managed KeysManaging Trusted Keys and CertificatesOverviewTrusted KeysTrusted CertificatesAdding a Trusted Key or CertificateInspecting and Changing Trusted Key PropertiesDeleting Trusted Keys and CertificatesSearching for Trusted Keys and CertificatesManaging Group KeysOverviewEstablishing Default Group Key SettingsAdding a Group Key to an Existing GroupCreating a New Group with a Group KeyRemoving a Group Key from a GroupDeleting a Group KeyRevoking a Group KeyExporting a Group KeySetting Mail PolicyOverviewHow Policy Chains 697171717172727373757575767677777878797980iii
ivContentsMail Policy and DictionariesMail Policy and Key SearchesMail Policy and Cached KeysUnderstanding the Pre-Installed Policy ChainsHow Upgrading and Updating Affect Mail Policy SettingsMail Policy Outside the MailflowUsing the Rule InterfaceThe Conditions CardThe Actions CardBuilding Valid Chains and RulesUsing Valid Processing OrderCreating Valid GroupsCreating a Valid RuleManaging Policy ChainsMail Policy Best PracticesRestoring Mail Policy to Default SettingsAdding Policy ChainsDeleting Policy ChainsExporting Policy ChainsPrinting Policy ChainsManaging RulesAdding Rules to Policy ChainsDeleting Rules from Policy ChainsEnabling and Disabling RulesChanging the Processing Order of the RulesAdding Key SearchesChoosing Condition Statements, Conditions, and ActionsCondition StatementsConditionsActionsWorking with Common Access CardsApplying Key Not Found Settings to External UsersOverviewBounce the MessageSymantec PDF Email ProtectionSymantec PDF Email Protection Secure ReplyWorking with PassphrasesCertified Delivery with Symantec PDF Email ProtectionSend UnencryptedSmart TrailerSymantec Encryption Web Email ProtectionChanging Policy SettingsChanging User Delivery Method PreferenceUsing Dictionaries with PolicyOverviewDefault DictionariesEditing Default DictionariesUser-Defined DictionariesAdding a User-Defined 8120121121123123124125126126
ContentsEditing a User-Defined DictionaryDeleting a DictionaryExporting a DictionarySearching the DictionariesKeyservers, SMTP Archive Servers, and Mail PolicyOverviewKeyserversAdding or Editing a KeyserverDeleting a KeyserverSMTP ServersAdding or Editing an Archive ServerDeleting an Archive ServerManaging Keys in the Key CacheOverviewChanging Cached Key TimeoutPurging Keys from the CacheTrusting Cached KeysViewing Cached KeysSearching the Key CacheConfiguring Mail ProxiesOverviewSymantec Encryption Management Server and Mail ProxiesMail Proxies in an Internal PlacementMail Proxies in a Gateway PlacementMail Proxies PageCreating New or Editing Existing ProxiesCreating or Editing a POP/IMAP ProxyCreating or Editing an Outbound SMTP ProxyCreating or Editing an Inbound SMTP ProxyCreating or Editing a Unified SMTP ProxyEmail in the Mail QueueOverviewDeleting Messages from the Mail QueueSpecifying Mail RoutesOverviewManaging Mail RoutesAdding a Mail RouteEditing a Mail RouteDeleting a Mail 3153155155156156156157v
viContentsCustomizing System Message TemplatesOverviewTemplates and Message SizeSymantec PDF Email Protection TemplatesSymantec Encryption Web Email Protection TemplatesEditing a Message TemplateIntegrating with Symantec Data Loss PreventionEnabling Integration with DLPDisabling Integration with DLPChanging the DLP Integration Authentication InformationManaging GroupsUnderstanding GroupsSorting Consumers into GroupsEveryone GroupExcluded GroupPolicy Group OrderSetting Policy Group OrderCreating a New GroupDeleting a GroupViewing Group MembersManually Adding Group MembersManually Removing Members from a GroupGroup PermissionsAdding Group PermissionsDeleting Group PermissionsSetting Group MembershipSearching GroupsCreating Group Client InstallationsHow Group Policy is Assigned to Symantec Encryption Desktop InstallersWhen to Bind a Client InstallationCreating Symantec Encryption Desktop InstallersManaging DevicesManaged DevicesAdding and Deleting Managed DevicesAdding Managed Devices to GroupsManaged Device InformationDeleting Devices from Symantec Encryption Management ServerDeleting Managed Devices from GroupsDrive Encryption Devices (Computers and Disks)Drive Encryption ComputersDrive Encryption DisksFileVault Devices (Computers and Disks)FileVault Computer InformationFileVault Disk 4175181182182183184187188189189191192193193
ContentsSearching for DevicesAdministering Consumer Policy194197Understanding Consumer Policy197Managing Consumer Policies197Adding a Consumer Policy197Editing a Consumer Policy198Deleting a Consumer Policy199Making Sure Users Create Strong Passphrases199Understanding Entropy200Enabling or Disabling Encrypted Email200Using the Windows Preinstallation Environment201X.509 Certificate Management in Lotus Notes Environments201Trusting Certificates Created by Symantec Encryption Management Server202Setting the Lotus Notes Key Settings in Symantec Encryption Management Server204Technical Deployment Information204Offline Policy205Using a Policy ADK206Out of Mail Stream Support207Enrolling Users through Silent Enrollment208Silent Enrollment with Windows209Silent Enrollment with Mac OS X209Symantec Drive Encryption Administration209Symantec Drive Encryption on Mac OS X with FileVault209How Symantec Drive Encryption Works with Different Operating Systems and Boot Modes210How Does Single Sign-On Work?213Enabling Single Sign-On213Managing Clients Remotely Using a Symantec Drive Encryption Administrator Active DirectoryGroup215Managing Clients Locally Using the Symantec Drive Encryption Administrator Key216Setting Policy for Clients219Client and Symantec Encryption Management Server Version Compatibility219Establishing Symantec Encryption Desktop Settings for Your Symantec Encryption Desktop Clients219Symantec Encryption Desktop Feature License Settings220Enabling Symantec Encryption Desktop Client Features in Consumer Policies221Controlling Symantec Encryption Desktop Components222Setting and managing a passphrase expiry policy for passphrase users223PGP Portable224Symantec File Share Encryption225How the Symantec File Share Encryption Policy Settings Work Together225Multi-user environments and managing Symantec File Share Encryption226Backing Up Symantec File Share Encryption-Protected Files226About Mobile Encryption227About Administration of the Symantec Mobile Encryption for iOS App227About Symantec Mobile Encryption for iOS Configuration Files228Setting Policy for Symantec Mobile Encryption230About Dropbox File Protection230About Administration of the Symantec File Share Encryption for iOS App231vii
viiiContentsUsing Directory Synchronization to Manage ConsumersHow Symantec Encryption Management Server Uses Directory SynchronizationBase DN and Bind DNConsumer Matching RulesUnderstanding User Enrollment MethodsBefore Creating a Client InstallerEmail EnrollmentDirectory EnrollmentCertificate EnrollmentEnabling Directory SynchronizationAdding or Editing an LDAP DirectoryThe LDAP Servers TabThe Base Distinguished Name TabThe Consumer Matching Rules TabTesting the LDAP ConnectionUsing Sample Records to Configure LDAP SettingsDeleting an LDAP DirectorySetting LDAP Directory OrderDirectory Synchronization SettingsManaging User AccountsUnderstanding User Account TypesViewing User AccountsUser Management TasksSetting User AuthenticationEditing User AttributesAdding Users to GroupsEditing User PermissionsDeleting UsersSearching for UsersDisabling substring key searches to protect user keysViewing User Log EntriesChanging Display Names and UsernamesExporting a User's X.509 CertificateRevoking a User's X.509 CertificateManaging User KeysManaging Internal User AccountsImporting Internal User Keys ManuallyCreating New Internal User AccountsExporting Symantec Drive Encryption Login Failure DataInternal User SettingsManaging External User AccountsImporting External UsersExporting Delivery ReceiptsExternal User SettingsOffering X.509 Certificates to External UsersManaging Verified Directory User AccountsImporting Verified Directory UsersSymantec Encryption Verified Directory User SettingsManaging FileVault User 68268
ContentsUsing a Personal Recovery KeyViewing FileVault Encryption StatusRecovering Encrypted Data in an Enterprise EnvironmentUsing Key ReconstructionRecovering Encryption Key Material without Key ReconstructionEncryption Key Recovery of CKM KeysEncryption Key Recovery of GKM KeysEncryption Key Recovery of SCKM KeysEncryption Key Recovery of SKM KeysUsing a Special Data Recovery KeyUsing an Additional Decryption Key (ADK)Using an Institutional Recovery Key (IRK)Configuring Symantec Encryption Web Email verview279Symantec Encryption Web Email Protection and Clustering280External Authentication280Customizing Symantec Encryption Web Email Protection282Adding a New Template282Troubleshooting Customization287Changing the Active Template289Deleting a Template290Editing a Template290Downloading Template Files290Restoring to Factory Defaults290Disabling Password Reveal Button for Symantec Encryption Web Email Protection users291Configuring passphrase security settings for Symantec Encryption Web Email Protection users 292Setting and managing notification languages for external users293Installing or upgrading to Symantec Encryption Management Server 3.4294Editing notification message templates295Viewing and setting a default global language295Enabling or disabling a notification language296Allowing or disallowing Web Email Protection users to choose a notification language296Setting or changing a notification language for external users297Configuring the Symantec Encryption Web Email Protection Service299Starting and Stopping Symantec Encryption Web Email Protection300Selecting the Symantec Encryption Web Email Protection Network Interface300Setting Up External Authentication301Creating Settings for Symantec Encryption Web Email Protection User Accounts302Setting Message Replication in a Cluster304Viewing Server and License Settings and Shutting Down Services305Overview305Server Information305Setting the Time306Licensing a Symantec Encryption Management Server306Downloading the Release Notes307Shutting Down and Restarting the Symantec Encryption Management Server Software Services 307ix
xContentsShutting Down and Restarting the Symantec Encryption Management Server HardwareConfiguring the Integrated KeyserverOverviewStarting and Stopping the Keyserver ServiceConfiguring the Keyserver ServiceConfiguring the Symantec Encryption Verified DirectoryOverviewStarting and Stopping the Symantec Encryption Verified DirectoryConfiguring the Symantec Encryption Verified DirectoryManaging the Certificate Revocation List ServiceOverviewStarting and Stopping the CRL ServiceEditing CRL Service SettingsConfiguring Universal Services ProtocolStarting and Stopping USPAdding USP InterfacesSystem GraphsOverviewCPU UsageMessage ActivityWhole Disk EncryptionSystem LogsOverviewFiltering the Log ViewSearching the Log FilesExporting a Log FileEnabling External LoggingConfiguring SNMP MonitoringOverviewStarting and Stopping SNMP MonitoringConfiguring the SNMP ServiceDownloading the Custom MIB FileManaging Administrator 325326326327329329
ContentsAdministrator RolesAdministrator AuthenticationAdministrator Passphrase Security RequirementsCreating a New AdministratorImporting SSH v2 KeysDeleting AdministratorsInspecting and Changing the Settings of an AdministratorConfiguring RSA SecurID AuthenticationResetting SecurID PINsDaily Status EmailAdministrator Account Lockouts and CAPTCHAEnabling or Disabling the Administrator Account Lockout FeatureModifying the Duration of the Administrator Account Lockout PeriodUnlocking Administrator Accounts ManuallyConfiguring CAPTCHA for Administrator AccountsUnderstanding and Configuring Administrator Passphrase Security RequirementsPassphrase ComplexityPassphrase HistoryPassphrase AgePassphrase ResetResetting your Administrator Account PassphraseConfiguring Passphrase Security Requirements for Administrator AccountsProtecting Symantec Encryption Management Server with Ignition 40341342343345346346349OverviewIgnition Keys and ClusteringPreparing Hardware Tokens to be Ignition KeysConfiguring a Hardware Token Ignition KeyConfiguring a Soft-Ignition Passphrase Ignition KeyDeleting Ignition Keys349350350352352353Backing Up and Restoring System and User Data355OverviewCreating BackupsScheduling BackupsPerforming On-Demand BackupsConfiguring the Backup LocationRestoring From a BackupRestoring On-DemandRestoring ConfigurationRestoring from a Different VersionUpdating Symantec Encryption Management Server SoftwareOverviewInspecting Update PackagesSetting Network InterfacesUnderstanding the Network xi
xiiContentsChanging Interface SettingsAdding Interface SettingsDeleting Interface SettingsEditing Global Network SettingsAssigning a CertificateWorking with CertificatesImporting an Existing CertificateGenerating a Certificate Signing Request (CSR)Adding a Pending CertificateInspecting a CertificateExporting a CertificateDeleting a stering your Sy
X.509 Certificate Management in Lotus Notes Environments 201 Trusting Certificates Created by Symantec Encryption Management Server 202 Setting the Lotus Notes Key Settings in Symantec Encryption Management Server 204 . Symantec Encryption Management Server Product Family .
