CertifiedMail RSA SecurID Ready Implementation Guide Page 1 of 10

SecurID Ready Implementation Guide:

CertifiedMail Secure E-mail Server™

Last Modified 3/16/2001

1. Partner Information
Partner Name CertifiedMail.com Inc.
Web Site www.CertifiedMail.com
Product Name CertifiedMail Secure E-mail Server
Version & Platform 2.0 (Intel)
Product Description E-mail travels over the Internet in plain text, and has the same security as
a postcard. It also lacks accountability, since return receipts are
unreliable. For sending important information such as legal documents
and business plans, e-mail is insufficient. Health industry regulations
(HIPAA) even impose fines and jail time for sending patient information by
standard e-mail.

The CertifiedMail Server adds universal secure e-mail to your current e-

mail system. By using open standards, the system easily supports
organizations sending secure e-mail to thousands or millions of partners
and customers. No special software or digital certificates are required,
and there is minimal administration. A web interface provides secure
sending, receiving and tracking of messages, and provides access from
any Internet browser including cell phones with WAP browsers.

For one-click security from your e-mail client, a “Send Certified” button is
provided for Microsoft Outlook and Lotus Notes. Integration with
enterprise applications via XML provides automated sending of secure
messages and statements. Confirmation that a message was opened,
and the ability to retract messages (“Oops button”) is also provided. The
CertifiedMail Server integrates with RSA SecurID and your Ace/Server to
provide strong authentication of all or selected users.
Product Category E-mail & Office Automation
CertifiedMail RSA SecurID Ready Implementation Guide Page 2 of 10

CertifiedMail SecurID Architecture Secure E-mail for

External Users

WAP/HDML Palm VII

Key: CertifiedMail Software Component (3Q 2001)

Secure External Communication

Secure Internal Communication
Cell Tower

Internet
CertifiedMail via browser.
Optional SecurID login.
(2-way secure communication
via 128-bit SSL)

PC with Send CertifiedTM button

Network Switch
DMZ Firewall

Implement
SD

SD
PROLIA NT
8000
P ROLIA NT
8000

E SC

ESC

two-factor
authentication with:
SD

SD

DLT
D LT

CertifiedMail ACE/Server SecurID Tokens

Internal Firewall Web; ACE/Agent

Secure E-mail for

Network Switch
Internal Users

Send CertifiedTM
Browser access to CertifiedMail
button with SecurID Login
SD

P ROLIA NT
8000

Internal Corporate Network

ESC

SD

SD

XML integration with enterprise

applications for automated
sending of secure messages and
D LT

statements to thousands or
millions of customers
CertifiedMail XML Engine
and Database
For more information, visit us at http://CertifiedMail.com

(c) 2001 CertifiedMail.com Inc.

CertifiedMail RSA SecurID Ready Implementation Guide Page 3 of 10

2. Contact Information

Pre-Sales Post-Sales
Name Sales Department Support Department
E-mail sales@CertifiedMail.com support@CertifiedMail.com
Phone 800-672-7233 800-672-7233
Web www.CertifiedMail.com www.CertifiedMail.com

3. Solution Summary

Feature Details

Authentication methods supported Native SecurID

New PIN support All

Next tokencode support Yes

Secondary server support Slave ACE/Server

Location of node secret on client %SystemRoot%\system32 or system registry

ACE/Server client definition type Net OS

SecurID user specification Designated users

SecurID protection of administrators Yes

4. Product Requirements

The CertifiedMail Server is preconfigured and ready to install into your DataCenter or
co-location facility. It contains the following software and hardware components:

Software
Operating Windows NT Advanced Server, Windows 2000 Advanced Server or Windows
System 2000 Datacenter Server
Database MS-SQL 7, MS-SQL 2000 or Oracle (Unix, Linux, Windows NT, Windows 2000)
Web IIS 4.0 or IIS 5.0
SMTP MS-SMTP or uses your existing SMTP server
Hardened OS, SSL transport encryption, WTLS wireless encryption, encrypted
Security
database
Hardware

2 to 32 Intel Pentium III+ CPUs per server. 1Gb+ RAM. (If Oracle database is
Server
used, an appropriate Linux, Solaris or Unix hardware platform required.)

Configuration Clustered database servers; load-balanced web and SMTP servers

CertifiedMail RSA SecurID Ready Implementation Guide Page 4 of 10

Clients can access the CertifiedMail Server with any Internet browser including cell
phones with WAP browsers. Please note however that SecurID authentication is only
supported on standard HTML-based browsers (Netscape Navigator and Microsoft
Internet Explorer, e.g.)

5. Partner ACE/Agent configuration

Before attempting to configure CertifiedMail for SecurID authentication, make sure the
following constraints have been satisfied:

•= The CertifiedMail Server, and the web administration console, are properly
installed and configured.

•= Users can successfully perform a standard CertifiedMail login and access their
messages. Consult the CertifiedMail Administrator’s Guide for information on
how to do this.

•= You have made the machine running CertifiedMail a “Net OS” client of the
ACE/Server and copied the sdconf.rec file to the %SystemRoot%\system32\
directory.

Install the RSA ACE Agent on the Windows NT/2000 Server that is running Microsoft
Internet Information Server. This is the same computer running the CertifiedMail web
server.

Once IIS is running and the RSA ACE/Agent is installed, use the Microsoft Management
Console to protect the SecurID.asp page for CertifiedMail. Once you have “locked
down” the login page, users will then be SecurID-challenged when attempting to access
these resources. For more information on how to SecurID protect virtual servers and
directories, consult the RSA ACE/Agent v 4.4 for Windows NT Administrator’s Guide

For maximum flexibility, SecurID login can be selected for one or more CertifiedMail
users. Login options available to users include SecurID, UserName and Password, or
other authentication devices that may be installed (e.g. biometric). To enable SecurID,
login to the CertifiedMail Server from your web browser as the CertifiedMail
Administrator. Then, from the Member Center, select the Admin Console. Select a user
from the list and edit their properties. To enforce SecurID access for this user, make
sure that the user’s Login Name matches the “Default login” of their ACE/Server
account. Then select “Require SecurID to login” (figure 1):
CertifiedMail RSA SecurID Ready Implementation Guide Page 5 of 10

Figure 1 CertifiedMail Admin Console

When the user performs a CertifiedMail login by entering their User Name and SecurID
Passcode, the CertifiedMail Server will redirect their browser to the SecurID.asp page.
If their login credentials are correct, they will be transparently logged into their
CertifiedMail account. If their login is not correct, or there are any special cases such as
New Pin Mode, then the appropriate SecurID HTML pages will be displayed to the user.
CertifiedMail RSA SecurID Ready Implementation Guide Page 6 of 10

When users attempt to logon to CertifiedMail, they will be presented with the following
SecurID login screen:

Figure 2 SecurID Login Page

After entering their SecurID login, the following screen is displayed:

Figure 3 Processing Login Information

CertifiedMail RSA SecurID Ready Implementation Guide Page 7 of 10

If the ACE/Server requires a New Pin, the following screen is displayed:

Figure 4 New PIN Dialog

CertifiedMail RSA SecurID Ready Implementation Guide Page 8 of 10

If the user enters a bad passcode, the following screen is displayed:

Figure 5 CertifiedMail Admin Console

CertifiedMail RSA SecurID Ready Implementation Guide Page 9 of 10

Upon successful login, the user is granted access to their secure e-mail account:

Figure 6 CertifiedMail Inbox

CertifiedMail RSA SecurID Ready Implementation Guide Page 10 of 10

6. Certification Checklist

Indicate here the tests that were run to ensure the product is SecurID Ready:

Test Pass Fail

st
1 time auth. (node secret creation) P

New PIN mode:

System-generated
Non-PINPAD token P
PINPAD token P
User-defined (4-8 alphanumeric)
Non-PINPAD token P
Password P
User-defined (5-7 numeric)
Non-PINPAD token P
PINPAD token P
SoftID token P
Deny Alphanumeric P
User-selectable
Non-PINPAD token P
PINPAD token P
Next Tokencode mode
Non-PINPAD token P
PINPAD token P

Slave ACE/Server P
No ACE/Server P

7. Known Problems
None