PGP Encryption Server Requirements to connect to a remote key server over LDAPS (Symantec Encryption Management Server)
search cancel

PGP Encryption Server Requirements to connect to a remote key server over LDAPS (Symantec Encryption Management Server)

book

Article ID: 175858

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

The PGP Encryption Server (Symantec Encryption Management Server) can lookup keys on remote PGP Encryption Servers over a secure LDAPS connection.

Remote key servers are added on the Keys / Keyservers page of the administration console. The key server needs to be referenced within a rule in the Mail / Mail Policy page of the administration console.

Sometimes the LDAPS connection to the remote key server fails.

The Mail log may contain an entry like this:

2019/08/30 11:23:20 +00:00  INFO   pgp/messaging[20843]:       SMTP-00001: key search <[email protected]> [keyserver.example.com]: Could not get recipient encryption key: server open failed

Resolution

Because LDAPS is a secure connection to a remote key server, creating a successful LDAPS connection involves satisfying a number of requirements.

For ease of reference, the PGP Encryption Server that is making the LDAPS connection is referred to below as the LDAPS client and the remote PGP Server that is hosting the LDAPS service is referred to as the LDAPS server.

Ensure that the following recommendations are met.

  1. A valid TLS certificate, preferably issued by a public certification authority, is associated with the relevant network interface of both the LDAPS client and the LDAPS server.

  2. The certificates in the issuing chain of both the LDAPS server and the LDAPS client are imported into Keys / Trusted Keys in the administration console and trusted for TLS on both the LDAPS server and the LDAPS client.

  3. The issuing certificate (invariably an intermediate certificate) on both the LDAPS client and LDAPS server contains an Enhanced Key Usage field with the attributes Server Authentication and Client Authentication. This is always the case for certificates issued by a public certification authority but may not be true for private certification authorities.

  4. The LDAPS client uses DNS name to connect to the LDAPS server. For example, keyserver.example.com.

  5. The DNS name matches the CN attribute of the Subject field of the LDAPS server certificate.

 

For more information on troubleshooting keyserver lookups, see the following article:

170457 - PGP Encryption Server cannot search for keys on remote hosts (Symantec Encryption Management Server)

Powered by Wolken Software