Secure Messaging Extension User’s Guide Release 5.0.5 for Schema Run-time Environment (SRE) Monk Version Copyright © 2005, 2010, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related software documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. Version 20101007170207. Secure Messaging Extension User’s Guide 2 Contents Contents Chapter 1 Introduction 5 Overview 5 Intended Reader 5 Components 5 Introducing S/MIME 6 Introducing Secure Messaging Extension 7 Supported Operating Systems 10 System Requirements 10 Environment Variable Settings 10 Chapter 2 Installation 11 Windows 11 Pre-installation 11 Installation Procedure 11 UNIX 12 Pre-installation 12 Installation Procedure 12 Files/Directories Created by the Installation 13 Chapter 3 Implementation 14 Sample Configuration 14 Sample Implementation 15 Sample Monk Scripts 15 Certificate Formats 15 Secure Messaging Extension User’s Guide 3 Contents Chapter 4 Secure Messaging Extension Functions 19 Secure Messaging Extension Functions 19 begin-session 19 db-query 20 db-store 21 end-session 23 set-param 24 sign-encrypt 26 verify-decrypt 28 wipe-handle 30 Index 31 Secure Messaging Extension User’s Guide 4 Chapter 1 Introduction This document discusses how to install and configure Secure Messaging Extension. 1.1 Overview Secure Messaging Extension enables e*Gate to process Events utilizing the S/MIME (Secure Multipurpose Internet Mail Extensions) message format. Secure Messaging Extension supports encryption, decryption and authentication of messages and is interoperable with any other client applications that support the S/MIME standard. This adds the following features to a transaction: privacy message (Event) authentication sender authentication nonrepudiation. 1.1.1 Intended Reader The reader of this guide is presumed to be a developer or system administrator with responsibility for maintaining the e*Gate system; to have expert-level knowledge of Windows and/or UNIX operations and administration; and to be thoroughly familiar with Windows-style GUI operations. 1.1.2 Components The following components comprise Secure Messaging Extension: Secure Messaging Extension Monk function scripts Dynamically loaded libraries (DLLs) Monk collaborations that load and call their functions. A complete list of the installed files appears in Table 1 on page 13. Secure Messaging Extension User’s Guide 5 Chapter 1 Section 1.2 Introduction Introducing S/MIME 1.2 Introducing S/MIME Secure Multipurpose Internet Mail Extension (S/MIME) is a type of MIME message format that supports digital signatures and encryption of messages. The new form is based on the public-key encryption technology created by RSA Data Security, Inc. The RSA algorithm is based on the fact that there is no efficient way to factor very large numbers, making nearly it impossible to derive the private key based solely on the public key. The public-key encryption system uses two keys: a public key known to everyone and a private key known only to the recipient of the message. For example, if JaneDoe wants to send a secure message to JohnDoe, JaneDoe uses JohnDoe’s public key to encrypt the message. JohnDoe then utilizes his own private key to decrypt it. Only the public key can be used to encrypt messages, and only the corresponding private key can be used to decrypt them (and vice versa). Similarly, the sender utilizes his/her private key to include a signature on the message, while the recipient uses the sender’s public key to verify the signature. MIME offers a standardized way to represent and encode a wide variety of media types for transmission via the internet. Many e-Mail clients now support MIME, which enables sending and receiving of graphics, audio, and video files via the Internet. MIME also supports messages in character sets other than ASCII. When using MIME, messages can contain the following data types: Text messages in US-ASCII Character sets other than US-ASCII Multi-media: Image, Audio, and Video messages Multiple objects in a single message Messages of unlimited length Binary files. With the implementation of S/MIME, the protocol is available that adds digital signatures and encryption to these messages. These messages consist of two parts: the header and the body. The header forms a collection of field/value pairs structured to provide information necessary for the transmission of the message. MIME defines how the body of a message is structured. This format permits the inclusion of the above mentioned data types in a standardized manner. S/MIME defines the security services, adding digital signatures and encryption, thus preventing forgery and interception. For more information regarding S/MIMIE, please see RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography, available online at: http://www.rsasecurity.com/rsalabs/faq/. Also available is Internet Engineering Task Force S/MIME Message Specification (proposed standard) at: http://www.ietf.org/rfc/rfc2633.txt. Secure Messaging Extension User’s Guide 6 Chapter 1 Section 1.3 Introduction Introducing Secure Messaging Extension 1.3 Introducing Secure Messaging Extension The Secure Messaging Extension provides security features, allowing the secure transmission of exchanges over public domains such as the Internet. Secure Messaging Extension adds the ability to use Public Key Infrastructure (PKI) technology to ensure the confidentiality of exchanges by digitally signing and encrypting messages as they are sent, and decrypting and authenticating messages when they are received. The Secure Messaging Extension performs the encryption and decryption of messages using the S/MIME standard. The standard one-way hash algorithms ensure data integrity by verifying that no modifications are made to the message while in transit. The identity of the sender of a message is verified through the use of digital signatures, proving that the message actually originated from the entity who claims to have sent it. The following flowcharts show the processing of the data from receipt to destination. Secure Messaging Extension User’s Guide 7 Chapter 1 Section 1.3 Introduction Introducing Secure Messaging Extension Figure 1 Inbound Signed/Encrypted Message Receives an Inbound Message No Encrypted Event? Yes Separate Block encrypted Event from PKI encrypted Session Key Encryption No required for this Event? Retrieve Receiver's Private Key from PKI Database