entrust® entelligence security provider (esp) client for ... · cra esp reference guide for...

Entrust® Entelligence Security Provider (ESP) Client for Software Profile Users (EPF) Reference Guide

Information Technology Branch (ITB) Operational Services Directorate (OSD) Information Technology Security and Continuity Division (ITSC) Credentials and Access Management Section (CAM) PKI Planning and Development Group Date: March 21, 2011 Version: 2.6

CRA ESP Reference Guide for Software Users

March 21, 2011 v2.6

TABLE OF CONTENT

1 LOGIN INTO YOUR ENTRUST SECURITY STORE ...........................................................2

1.1 LOGGING INTO YOUR LOCAL ESP CLIENT.................................................................2

1.2 LOGGING INTO YOUR ESP CLIENT IN CTP .................................................................5

2 ONE-TIME LOGIN MIGRATION...........................................................................................9

2.1 POST MIGRATION EPF CLEAN-UP ...............................................................................9

3 SECURE EMAIL USING LOCAL ESP ...............................................................................11

3.1 ENCRYPTING AND SIGNING EMAILS .........................................................................11

3.2 DECRYPTING EMAIL MESSAGES ...............................................................................14

3.3 “UNSECURE SELECTED MESSAGE” MENU OPTION...............................................15

4 SECURE EMAIL USING ESP IN CTP................................................................................16

4.1 LAUNCHING MICROSOFT OUTLOOK 2003 IN CTP: ..................................................16

4.2 ENCRYPT AND SIGN EMAILS IN CTP: ........................................................................17

4.3 DECRYPTING EMAIL MESSAGES ...............................................................................20

4.4 “UNSECURE SELECTED MESSAGE” MENU OPTION...............................................21

5 ENCRYPTING AND SIGNING FILES USING ESP............................................................22

5.1 FILE ENCRYPTION FOR CTP USERS..........................................................................22

5.2 ENCRYTING A FILE FOR YOURSELF..........................................................................23

5.3 SIGNING A FILE FOR YOURSELF................................................................................26

5.4 ENCRYPTING AND SIGNING A FILE FOR YOURSELF ..............................................30

5.5 ENCRYPTING AND SIGNING A FILE FOR OTHERS...................................................33

5.6 DECRYPTING A FILE ....................................................................................................38

6 VIEWING YOUR CAPI........................................................................................................41

7 CERTIFICATE UPDATES ..................................................................................................43


Page 1 March 21, 2011 v2.6

ABOUT THIS DOCUMENT The purpose of this document is to help users familiarize themselves on the functionality of this core application. PKI SUPPORT If you are still experiencing difficulties with your ESP, please contact your Local or Regional IT Support Group. In the event that they are unable to resolve your issue; they will raise their ticket via National Service Desk (NSD) and bring it to the attention of PKI ADMIN to provide assistance with your request. For questions and/or clarifications relating to PKI related queries, please contact PKI Admin via email at: IT/TI-PKI Admin ICP PRE-REQUISITES Workstation must have Entrust Entelligence Desktop Solutions (EDS) removed and replaced by Entrust Entelligence Security Provider (ESP). CTP users must be made part of the available Active Directory groups in order to access ESP. Must have an epf already created. If you do not have one or you cannot find it, please visit IPRS-AS to either create or recover a new one: CRA PKI Web site: http://InfoZone/PKI IPRS-AS https://apps.ec.rc.gc.ca/UserRegistration/disclaimer.jsp *Refer to the IPRS-AS User Guide for more information on how to Create and Recover your PKI Certificates.


Page 2 March 21, 2011 v2.6

1 LOGIN INTO YOUR ENTRUST SECURITY STORE There is more than one way to login to your Entrust Security Store (EPF). The more common way is to:

1.1 LOGGING INTO YOUR LOCAL ESP CLIENT

Right click on the ESP icon located on the far right in the System Tray.

Select Log In… from the Entrust menu.

Click Browse… and navigate to your Entrust Security Store located on your local disk.

NOTE: The recommended and default location for your epf is C:\Documents and Settings\%userID%\Entrust. This should be the first place to look in.


Page 3 March 21, 2011 v2.6

Can’t find your EPF? TIP: If your epf is not in its default location and you are not sure as to where it might be located. Try looking in your network home folder (H:\) first! If it is not in your network home folder, then you can have your workstation perform a search for it. How do I perform searches for my epf on my PC?

• Right-click on the Start menu

(with Windows Logo) • Select Search… • Type in your UserID.epf (i.e.

ABC123.epf) in the field labelled “All or part of the name:” (the first field)

• Under Look in:, select My Computer

• Click Search • Once the search has completed.

Remember the location of your epf or move it to the default location. Then return to the ESP Login Prompt and retry browsing to your epf and typing in your password.

SEARCH TIP: Search results will appear in right pane of window. Click "View" > "Details" in order to verify the details regarding: type, location and date/time of the search results.


Page 4 March 21, 2011 v2.6

Once you have located your epf, select it and click on Open to bring you back

to the ESP login prompt.

Type in your password and click on OK.

NOTE: If you have forgotten the password to your Entrust Security Store (epf), then you must go to IPRS-AS to recover a new one and to reset your password.


Page 5 March 21, 2011 v2.6

Notice the red X disappears from the System Tray icon. Thus indicating you have successfully logged into ESP:

NOTE: You can produce the same ESP login prompt by double clicking on the ESP System Tray icon (bottom right corner of screen).

1.2 LOGGING INTO YOUR ESP CLIENT IN CTP IMPORTANT: At time of ESP rollout, CTP users will need to perform a one-time login as mentioned in Section 2 of this document before launching any other CTP application requiring the use of ESP. The same procedure applies to future recoveries of PKI certificates via IPRS-AS.

Click on the Start Menu.

Select Programs (You may have to expand the Programs menu).

Select ESP {CTP-PTC}

Then select Start Entrust Security Store – Démarrer le dépôt de sécurité Entrust


Page 6 March 21, 2011 v2.6

OR

A second ESP icon will place itself in the left most part of the system tray, which is most commonly located in the bottom right corner of your screen.

By double clicking on the CTP ESP icon, the following login prompt will appear.


Page 7 March 21, 2011 v2.6

Click Browse… to find your Entrust Security Store (UserID.epf) from the local disk.

NOTE: The recommended and default location for your epf is V:\Documents and Settings\%userID%\Entrust. This should be the first place to look in.

In CTP, the V:\ makes reference to the local disk C:\

Type in your password.


Page 8 March 21, 2011 v2.6

You will notice the red X disappears from the System Tray icon. Thus indicating you have successfully logged into ESP

NOTE: If you have forgotten the password to your Entrust Security Store (epf), then you must go to IPRS-AS to recover and reset your password.


Page 9 March 21, 2011 v2.6

2 ONE-TIME LOGIN MIGRATION REQUIRED: Please DELETE all previous copies of your PKI profile (.epf files). To ensure that you have the latest EPF file, please visit the IPRS-AS portal in order to recover a 'fresh' PKI profile (i.e. EPF). IMPORTANT: The completion of this “One-Time Login Migration” is a requirement for users of both environments (Local and CTP). A migration of your PKI certificates will transform the format of your certificates from a V1 to a V2 type. You may notice a status update window appear indicating a Digital ID Update is being performed on your PKI certificates. Accept the update, and when it is finished, you will be notified that your profile has been successfully updated. Once you have been migrated, you will not be prompted for this kind of update again.

Figure 1 – Image of a migration notification or certificate update

2.1 POST MIGRATION EPF CLEAN-UP Once your certificate has been migrated (see Figure 1 above) using ESP, it is important for you to make note of the location where your EPF was saved at the time of the migration. If you have not done so yet, ensure that you do a search of both your local and network drives (i.e. C: and H: drives) to find and remove all 'OLD' *.epf copies (i.e. PKI Profile) and the supporting files associated with them. For EPF search tips, refer to section 1.1 of this document for details on how to find your *.epf file(s) and the associated supporting files. Workstation users: Your PKI profile should be saved on either the Local C: drive, as advised in this user guide, or network H: drive if required.


Page 10 March 21, 2011 v2.6

Note: For CTP users, take note that your profile is saved in the U: or V: drive (which represents a 'virtual C'). Laptop users with a docking station: Your PKI profile users must be saved on your Local C: drive only. Workstation users: Your PKI profile should be saved on either the Local C: drive, as advised in this user guide, or network H: drive if required. Note: For CTP users, take note that your profile is saved in the U: or V: drive (which represents a 'virtual C').


Page 11 March 21, 2011 v2.6

3 SECURE EMAIL USING LOCAL ESP Encryption ensures the confidentiality of a message while signing protects the integrity and authenticity of a message. The option to “Encrypt and Sign” should always be used to ensure the maximum efficiency of the PKI encryption certificate.

3.1 ENCRYPTING AND SIGNING EMAILS In Outlook:

Compose a new email message by either:

Going to the file menu. Click on File.

Then New.

Then Mail Message. Ctrl + N

OR

Click on the New, located in the toolbar.

Once the new message is open:

You will notice two icons appearing in the toolbar. One of a yellow envelope with a blue padlock, and another one with a red ribbon.

o Blue padlock indicates Encryption.

o Red ribbon means Digital Verification [Provides authenticity that the

message did in fact come from you].


Page 12 March 21, 2011 v2.6

To ENCRYPT an email message you must:

Single click on the yellow envelope with the blue padlock.

After clicking on the icon, you will notice a blue outline or a blue outline with an orange filled box surrounding the icon. This indicates you now have encryption enabled on the message.

OR

Click on Send and the message will be sent off encrypted. Password authentication is not required for the Encryption Operation.

To ENCRYPT and SIGN an email message you must:

Single click on the yellow envelope icon with the blue padlock and single click on the yellow envelope with the red ribbon.

After clicking on the icons, you will notice a blue outline or a blue outline with

an orange filled box surrounding the icons. This indicates you now have encryption and verification (signature) enabled on the message.

OR

Since you are applying a Digital Verification Signature to this message using the Sign Operation along with the Encryption Operation, you may be prompted for password authentication. If you have not yet logged into ESP or if it had timed out after a period of inactivity.


Page 13 March 21, 2011 v2.6

To SIGN an email message you must:

Single click on the yellow envelope with the red ribbon. After clicking on the icon, you will notice a blue outline or a blue outline with an

orange filled box surrounding the icon. This indicates that you now have encryption enabled on the message.

OR

Since you are applying a Digital Verification Signature to this message using the Sign Operation, you may be prompted for password authentication. If you have not yet logged into ESP or if it had timed out after a period of inactivity.


Page 14 March 21, 2011 v2.6

3.2 DECRYPTING EMAIL MESSAGES

When encrypted or encrypted/signed emails arrive in your Inbox, you will noticed the envelope having a blue padlock on it:

When opening the message, the following status window will appear:

ESP begins decrypting your message.

When decrypting, you may be prompted for your Entrust Security Store password, if you have not yet logged into ESP or if it has timed out after a period of inactivity.

Once the password is provided, ESP will finish the decryption process and your message opens.


Page 15 March 21, 2011 v2.6

3.3 “UNSECURE SELECTED MESSAGE” MENU OPTION Secure Email is used in order to protect the transmission of data while it is in transit. Once the email (information) is received and/or sent, the user is advised to select “Actions” from the file menu and select the menu option entitled “Unsecure Selected Message” thereby decrypting the information which is now “at rest”. This practice allows the user to have access to said information without having to Log in to Entrust each time. It is recommended practice to do this on an ongoing basis.

Secured:

Unsecured:


Page 16 March 21, 2011 v2.6

4 SECURE EMAIL USING ESP IN CTP

4.1 LAUNCHING MICROSOFT OUTLOOK 2003 IN CTP: There are two different ways to launch Microsoft Outlook 2003 in CTP. One way is to go through the Windows Start menu. The other is through the PNAgent, located in the bottom right corner of your screen. You will notice a {CTP-PTC} label next to the application’s name. This label helps indicate that you are accessing an application from the CTP environment.

OR


Page 17 March 21, 2011 v2.6

4.2 ENCRYPT AND SIGN EMAILS IN CTP: In Microsoft Outlook 2003 {CTP-PTC}:

Compose a new email message either by:

Going to the file menu. Click on File.

Then New.

Then Mail Message. Ctrl + N

OR

Click on the New, located in the toolbar.

Once the new message is open:

You will notice two icons appearing in the toolbar. One of a yellow envelope with a blue padlock, and another one with a red ribbon.

o Blue padlock means Encryption.

o Red ribbon means Digital Verification [Provides authenticity that the

message did in fact come from you].

To ENCRYPT an email message you must:

Simply perform a single click on the yellow envelope with the blue padlock.

After clicking on the icon, you will notice a blue outline (or a blue outline with an orange outline filled box) surrounding the icon. This indicates you now have encryption enabled on the message.


Page 18 March 21, 2011 v2.6

OR

Click on Send and the message will be sent off encrypted. Password authentication is not required for the Encryption Operation.

To ENCRYPT and SIGN an email message you must:

Single click on the yellow envelope with the blue padlock and single click on the yellow envelope with the red ribbon.

After clicking on the icons, you will notice a blue outline (or a blue outline with

an orange filled box outline) surrounding the icons. This indicates you now have encryption and verification (signature) enabled on the message.

OR

Since you are applying a Digital Verification Signature to this message using the Sign Operation along with the Encryption Operation, you may be prompted for password authentication. If you have not yet logged into ESP or if it had timed out after a period of inactivity.


Page 19 March 21, 2011 v2.6

To SIGN an email message you must:

Single click on the yellow envelope with the red ribbon. After clicking on the icon, you will notice a blue outline or a blue outline with an

orange filled box surrounding the icon. This indicates that you now have encryption enabled on the message.

OR

Since you are applying a Digital Verification Signature to this message using the Sign Operation, you may be prompted for password authentication. If you have not yet logged into ESP or if it had timed out after a period of inactivity.


Page 20 March 21, 2011 v2.6

4.3 DECRYPTING EMAIL MESSAGES

When encrypted or encrypted/signed emails arrive in your Inbox, you will noticed the envelope having a blue padlock on it:

When opening the message, the following status window will appear:

ESP begins decrypting your message.

When decrypting, you may be prompted for your Entrust Security Store password, if you have not yet logged into ESP or if it has timed out after a period of inactivity.

Once the password is provided, ESP will finish the decryption process and your message opens.


Page 21 March 21, 2011 v2.6

4.4 “UNSECURE SELECTED MESSAGE” MENU OPTION Secure Email is used in order to protect the transmission of data while it is in transit. Once the email (information) is received and/or sent, the user is advised to select “Actions” from the file menu and select the menu option entitled “Unsecure Selected Message”, thereby decrypting the information which is now “at rest”. This practice allows the user to have access to said information without having to Log in to Entrust each time. It is recommended practice to do this on an ongoing basis.

Secured:

Unsecured:


Page 22 March 21, 2011 v2.6

5 ENCRYPTING AND SIGNING FILES USING ESP

5.1 FILE ENCRYPTION FOR CTP USERS

You will need to have your CTP Windows Explorer {CTP-PTC} window open in order to perform all file encryptions in the CTP environment.

The different ways of accessing Windows Explorer {CTP-PTC} are:

OR


Page 23 March 21, 2011 v2.6

The following window will appear.

Navigate yourself to the location of the file you wish to perform either of the following tasks.

5.2 ENCRYTING A FILE FOR YOURSELF

Right click on the file you would like to encrypt. Select Entrust Encrypt File…


Page 24 March 21, 2011 v2.6

The Encrypt Files Wizard window will be displayed. The files being encrypted will be listed in the dialog box. Click on the Next> button.

The next window will show your encryption certificate. Click on the Next> button.


Page 25 March 21, 2011 v2.6

The next window will inform you that the file encryption is complete. The encrypted file will be displayed in the dialog box. Click on the Finish button.

The file is now encrypted.


Page 26 March 21, 2011 v2.6

5.3 SIGNING A FILE FOR YOURSELF

Right click on the file you would like to sign. Select Entrust Digitally Sign File…


Page 27 March 21, 2011 v2.6

The Digitally Sign Files Wizard window will be displayed. The files being

digitally signed will be listed in the dialog box. Click on the Next> button.

The next window will show your verification certificate. Click on the Next> button.


Page 28 March 21, 2011 v2.6

If you are not currently logged into your PKI certificate store, the Entrust Security Store Login window will be displayed. Enter your password and Click on the OK button.


Page 29 March 21, 2011 v2.6

The next window will inform you that the file digital signing is complete. The

digitally signed file will be displayed in the dialog box. Click on the Finish button.

The file is now digitally signed.


Page 30 March 21, 2011 v2.6

5.4 ENCRYPTING AND SIGNING A FILE FOR YOURSELF

Right click on the file you would like to encrypt and sign. Select Entrust Encrypt and Digitally Sign File…

The Encrypt and Digitally Sign Files Wizard window will be displayed. The files being encrypted and digitally signed will be listed in the dialog box. Click on the Next> button.


Page 31 March 21, 2011 v2.6

The next window will show your encryption and verification certificates. Click on the Next> button.



Page 32 March 21, 2011 v2.6

The next window will inform you that the file encryption and digital signing is complete. The encrypted and digitally signed file will be displayed in the dialog box. Click on the Finish button.

The file is now encrypted and digitally signed.


Page 33 March 21, 2011 v2.6

5.5 ENCRYPTING AND SIGNING A FILE FOR OTHERS When encrypting a file you have the option of encrypting the content to allow other recipients to decrypt the data.

Right click on the file you would like to encrypt and sign. Select Entrust Encrypt and Digitally Sign File…(the encrypt to others option will also be available when Entrust Encrypt File… option is selected)


Page 34 March 21, 2011 v2.6

The Encrypt and Digitally Sign Files Wizard window will be displayed. The files being encrypted and digitally signed will be listed in the dialog box. Click on the Next> button.

The next window will show your encryption and verification certificates. Select the Encrypt the files for other people in addition to yourself check box. Click on the Next> button.


Page 35 March 21, 2011 v2.6

The next window will allow you to select additional recipients that the file will be encrypted for. Click on the Add… button.

The Select People window will be displayed. Type in the last name followed by the first name of the person you want to add (omitting the first name also works) in the search field. Click on the downward arrow next to the Search button and select the Search CRA/CBSA Production Directory followed by the CRA/CBSA Production Directory option (if the person you are trying to add is from another government department select GoC Production Directory option).


Page 36 March 21, 2011 v2.6

The user’s certificate will be displayed in the dialog box. Select the user’s certificate and click on the OK button.

The Encrypt and Digitally Sign Files Wizard window will be displayed again. The selected user will have been added to the dialog box. Multiple users can be added as recipients on the same file. To add another recipient select the Add button and follow the steps described above. When you are done adding users, click on the Next> button..


Page 37 March 21, 2011 v2.6

The next window will inform you that the file encryption and digital signing is complete. The encrypted and digitally signed file will be displayed in the dialog box. Select the Finish button.

The file is now encrypted and digitally signed. The file is ready to be share with the recipients.


Page 38 March 21, 2011 v2.6

5.6 DECRYPTING A FILE Two options are available to decrypt a file. One will open the file after decryption and verification is complete and the other will not.

Right click on the file you would like to decrypt and verify. Select Decrypt and Verify (Decrypt, Verify and Open will open the file upon completion of decryption and verification).


Page 39 March 21, 2011 v2.6


If you have selected the Decrypt, Verify and Open option a warning message will be displayed. Click on Yes to continue.


Page 40 March 21, 2011 v2.6

The file is now decrypted and has been verified.


Page 41 March 21, 2011 v2.6

6 VIEWING YOUR CAPI

Viewing CAPI with Internet Explorer

• Launch your Internet Explorer. • In the File Menu, click on Tools. • Under Tools, select Internet Options. • An Internet Options window appears. • Click on the tab labelled Content. • About half way down the tab you will see a Certificates button. Click on it. • Make sure you are under the tab labelled Personal to see your certificates. • There you will see two green certificates with your Lastname, Firstname next

to the green certificates.


Page 42 March 21, 2011 v2.6

Viewing CAPI with Entrust Certificate Explorer

• Launch your Entrust Certificate Explorer:

o On local machine: Accessing via Start menu Start=>Programs=>Entrust Entelligence=>Entrust Certificate Explorer OR Right click on the ESP icon in the system tray, and then select Entrust Certificate Explorer from the menu o On CTP: Right click on ESP icon in the system tray then select Entrust Certificate Explorer from the menu


Page 43 March 21, 2011 v2.6

7 Certificate Updates Like everything else in the computer world. Your PKI certificate is also subjected to updates. As long as you have your PKI verification and encryption credentials loaded in your CAPI you can expect to receive the occasional updates and/or renewal notices generated by the Certification Authority (CA) (refer to section 6). Note: ESP has a feature in it called “EECWATCH”, where it periodically checks for updates to your PKI certificate. When it detects an update, you will automatically receive a notification which will appear in your System Tray which looks like this:

When you double click on the icon, one of two pop-up messages will appear:

Figure 2 - Certificate Update

Figure 3 - Recovery Request

If you see the pop-up in figure 2, this means one of a few different updates have occurred to your PKI certificate. Either because your PKI certificate has reached its three (3) year lifespan and requires a renewal or that an update was pushed manually to your PKI certificate by an Administrator. In either case, your action is required. The manual updates can be in a form of a DN (Distinguished Name) Change, email address update, or a change in certificate type (ex. *.epf, BlackBerry user, *.tkn token type). A DN change is required in the event that a user’s ‘Surname’ changes. A request must be sent to their local or regional IT support for PKI Admin support.


Page 44 March 21, 2011 v2.6

If you see the pop-up in figure 3, this means your certificate has been revoked by either an Administrator or by IPRS-AS. If by an Administrator, it is because a request was made to have a user’s certificate revoked for various reasons. If this has been done in error, please inform your local or regional IT support for PKI Admin support immediately. When a user visits IPRS-AS to recover their new EPF, this process revokes the user’s previous set of digital keys associated with your certificate and gives the user a new set of keys. Most users who come across this type of pop-up message usually have multiple network devices (i.e. workstation and laptop) in hand, or users who happen to keep multiple copies of their EPF file somewhere on their local or network drives. If you are a user who requires more than one copy of their EPF, it is extremely important that you delete any older copies of your EPF and replace them with the newest EPF. For information on how to find your .EPF files, refer to section 1.2 of this document.