Академический Документы
Профессиональный Документы
Культура Документы
Please Note:
The information contained in this section is intended to assist you in establishing the environment and configuration required to successfully use CitiDirect Online Banking Automated File and Report Delivery (AFRD). It provides details on obtaining and installing end-user certificates, configuring the Web server and generating key pairs. Screen shots are provided for aid in understanding the instructions, although the actual screens may differ. We tried to cover some of the more common vendor products. It is not intended to replace information that you should obtain directly from your e-mail vendor, certificate authority of choice, and Web server vendor.
Table Of Contents
Table Of Contents ............................................................................................................... 3 Introduction ......................................................................................................................... 4 Overview ............................................................................................................................. 4 Obtaining Your Personal E-mail Certificate ................................................................ 4 Setting up your E-mail Client for S/MIME .................................................................... 4 Obtaining the Citigroup Certificate Authority Certificate ............................................. 6 Setting Up Your E-mail Client for S/MIME .......................................................................... 6 Microsoft Outlook 2000............................................................................................ 6 Microsoft Outlook Express 5.X.................................................................................. 20 Microsoft Outlook Express 4.0 .................................................................................. 21 Microsoft Outlook 98.................................................................................................. 21 Netscape 4.x (Communicator/Messenger) ............................................................... 22 Netscape Communicator/Messenger........................................................................ 25 Lotus Notes .............................................................................................................. 26 Retrieving the Citigroup CA (root) Certificate ................................................................... 27 Retrieving the Citigroup CA (root) Certificate Using IE:............................................ 28 Retrieving the Citigroup CA (root) Certificate Using Netscape:................................ 30 File and Report Processing via E-Mail ............................................................................. 30 Understanding E-Mail Security (S/MIME) ................................................................. 30 End-User Certificate Requirements (e-mail)............................................................. 31 General Characteristics of AFRD E-Mail Delivery .................................................... 32 CitiDirect Processing (Sign, Encrypt and Send) ....................................................... 32 Client Processing (Verify Signature, Decrypt and View) .............................................. 32 S/MIME E-Mail Support ............................................................................................. 33 E-Mail Programs that do NOT Support S/MIME ....................................................... 33 S/MIME Plug-ins for Entrust Enterprise Certificates ................................................. 34 AFRD Installation/Requirements Check List.................................................................... 34 Client Functionality Requested.................................................................................. 34 Type A Requirements ............................................................................................. 34 Type B Requirements SMTP S/MIME (e-mail).................................................. 34 Type C Requirements HTTPS (Web server)........................................................ 35 Type D Requirements HTTPS - SSL Encryption Only (Web server)..................... 36 Disclaimer.......................................................................................................................... 43
Introduction
Automated File and Report Delivery was designed to be secure but flexible, using common standards and tools wherever possible. In most cases you can choose from a number of different Web servers, mail clients, Certificate Authorities (CA), etc., that meet AFRD requirements. Because of this, it is impossible to fully document, in detail, the installation and configuration of every workable scenario. This guide defines requirements, lists solutions that have been tested by Citibank, and offers other suggestions. In addition, it provides details around the certificate process for popular email programs and the set up and creation of certificates for approved Web servers. These details are only intended as a useful reference and in no way are meant to replace product specific documentation that you should reference to best accomplish the required activities. Please refer to the Automated File and Report Delivery Configuration and Installation Guide as a prerequisite reading before proceeding with this guide.
Overview
Obtaining Your Personal E -mail Certificate
CitiDirect Online Banking supports any X.509v3 compliant Personal / E-mail certificate issued by a standard Certificate Authority (CA), such as VeriSign or Thawte. Moreover, if you have your own Certificate Server installed, such as Microsoft Certificate Server or Netscape Certificate server. CitiDirect Online Banking will also honor these certificates. Although we do not require a specific certificate from a specific CA, Citibank strongly recommends that you deal with a reputable CA with auditable policies and procedures on certificate issuance and administration. Please refer to the Digital Certificate Summary grid in the Configuration and Installation Guide for general requirements and general end-user experience in obtaining and installing digital certificates. Once you obtain your certificate you will need to import it into your e-mail desktop personal computer (PC) and ensure that your e-mail is properly set up. Please use these instructions solely as a reference of what needs to occur. Follow your products specific documentation on how best to accomplish this activity.
Complete instructions and screen shot are included, as an example, for Microsoft Outlook 2000. More of an overview and guidelines are provided for the other e-mail programs.
Selecting this button (Get a Digital ID) will launch your browser and display a Web page hosted by Microsoft with links to several Certificate Authorities. Pick a CA and follow their instructions on obtaining a personal/e-mail digital certificate. During the certificate retrieval process, you will be asked to install the certificate in the browser/e-mail client of your choosing. In this case Microsoft Outlook 2000. Click the Install button. The following steps illustrate the entire process, using VeriSign as a typical CA. The actual experience will vary according to the CA you have selected.
For the Cryptographic Service Provider Name: select Microsoft Strong Encryption Encoder.
Since these digital certificates are tied to an individual e-mail address, confirm that the address is correct. This completes the application process. VeriSign will send an e-mail confirmation.
10
A second e-mail, Quick Installation Instructions, provides your Digital ID PIN and the URL to get your certificate.
11
Go to the URL provided, enter PIN, and click Submit. This installs the certificate in your browser.
In your Browser, go to Tools, Internet Options, Content, and Certificates. From this screen you can: view the certificate by highlighting it and selecting View.
12
Select Advanced and click on the Details tab for further information
Or you can
Press the Export button. You have a choice to export your certificate with or without the Private Key. If you need to export your certificate so that you can Import it into your mail client, choose that option.
13
Note: If both your browser and mail client are Microsoft products, this should not be necessary. The illustration below shows you Exporting only your Public Key. This will be needed later, as it must be uploaded to CitiDirect Online Banking (S/MIME) Administration Service Class for you to be able to use Automated File and Report Delivery.
14
If you do need to install the entire certificate (Public and Private Keys) on your e-mail client, these alternative screens will be shown:
15
Select Strong Encryption. Your Private Key requires a Password. Type and Confirm.
16
The alternative screen for Exporting with the Private Key is shown.
17
If you need to import your certificate into Outlook, go to Outlook, Tools, Options, Security, Import Export button. Click (Browse) your certificate location, the password you created and name it. Click OK.
To confirm or change the setup of your certificate and e-mail, open Outlook. From the Tools menu, click Options and then select the Security tab. The following screen appears:
Click the Setup Secure E-mail button under the Secure e-mail section. The Change Security Settings dialog displays.
18
Outlook 2000 views your certificates, determines which ones are valid for e-mail encryption and digital signatures, and chooses a certificate for each. If the certificates that Outlook selects are not the ones you want to use, you can change the default selections. Click the Choose button in the Encryption Certificate section to select a certificate for e-mail encryption. Note: CitiDirect Online Banking requires that the Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup. If the certificates do not match, use the dropdown menu to select the appropriate certificate and click OK. Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choices should reflect your personal preferences. Click OK to close the Change Security Settings dialog box and return to the Options dialog box. Click Apply, and then click OK to close the Options dialog box.
19
20
Microsoft Outlook 98
The next screen you will see is the option to install the certificate in the browser/e-mail client you want to use. In this case Microsoft Outlook 98. Click the 'Install' button. To import a downloaded Digital ID into your address book for Outlook 98: Open "Contacts" from Outlook '98 (Click on the Contacts icon). Add CitiDirect (** need exact e-mail address here ****) to your contact list. Select the Certificates tab in the Contact window. Click on the "Import" button. Locate the Digital ID you downloaded from CitiDirect and click the Open button. AFRD E-Mail Set Up Guide
21
Click on "Save and close". Note: CitiDirect requires that the Encryption Certificate matches the certificate that was uploaded to CitiDirect during the e-mail delivery setup. If the certificates do not match, make the appropriate changes using the supplied User Interface and select OK.
Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences.
Click OK to Continue. The next screen will require you to enter your password to access your private keystore.
22
If you have recently installed Netscape on your system or have never used any of Netscape's security features, you may be asked to create and setup a Netscape Communicator password. Citibank highly recommends taking this action. By doing so, you effectively prevent any individual, other than yourself, from managing, importing or exporting digital certificates on your machine. This password also restricts other individuals from sitting down at your machine and signing e mail messages with your digital ID. Note: Be sure to remember your Communicator password. This is a Netscape function, included with Communicator for your security. If you forget your password, you will not have access to manage, deploy or use your digital ID. There is nothing your CA and/or Netscape can do in the event that this happens and ANY digital certificates you may have will be rendered useless. The Authentication Phase , carried out by your CA. Depending on the type of certificate you are requesting this process might be quite simple or rather complex.
After you complete the enrollment process explained in the above steps, depending on your CA and the type of certificate you requested, they will either e -mail you that your certificate is available or send you some form of postal mail. Irrespective of the mode of delivery, the message will contain specific information on how you can pick up your Digital ID. This mailing usually includes such items as a URL you can use to get your Digital ID along with some form of PIN number. Go to the URL included in the e-mail and complete the Certificate retrieval process. Note: since you will be installing your Digital ID in Netscape, you must go to the pickup page using Netscape Communicator. This causes the Digital ID to be installed in your browser, in turn, allowing the Netscape Messenger client to locate it. The Retrieval Phase consists of getting your certificate for use. For e-mail certificates, most CA will notify you of your certificates availability using e-mail. For other certificate types, server, for example, some certificate authorities use e-mail, others may use the postal service. Irrespective of the method of communication, most will provide you with a U.R.L. where you can retrieve your certificate online. Follow your CAs instructions for retrieving your certificate. If you retrieve your certificate using Netscape (Communicator/Messenger), a series of windows will be displayed requesting that you name and save your certificate.
23
Select OK to continue.
You may want to select the Save As button to keep a copy of your personal certificate for backup purpose. Click Continue. This completes the certificate retrieval process.
To verify that your Digital ID pickup has been successful installed in Netscape Communicator click on the Security tab at the top of the browser window. Under Certificates, click Yours. Your named certificate should be displayed. Your e-mail client is now ready to receive S/MIME messages.
24
Netscape Communicator/Messenger
To ensure security and privacy, Netscape Messenger provides encryption (scrambling) and digital signing (authentication) of e-mail messages. Messenger's privacy features comply with the Secure Multipurpose Internet Mail Extensions (S/MIME) standard. The S/MIME standard allows Messenger to send and receive encrypted messages and authenticate received messages. Using the S/MIME standard, Messenger also provides features that detect message tampering. To enable Messenger with S/MIME follow these instructions: Click the Security tab at the top of the Communicator windows Select Messenger from the pop-up windows left pane. In the field requesting which certificate to use for singing and encrypting (Certificate for your Signed and Encrypted Messages:) select your newly created certificate. Note: CitiDirect requires that Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup. If the certificates do not match, using the dropdowns, select the appropriate certificate and select OK. Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choices should reflect your personal preferences. Click OK and close the Security Window.
25
Lotus Notes
You can import Internet certificates into your Notes User ID. You can also export Internet certificates from your Notes User ID. Importing Internet certificates allows you to use them for SSL client authentication, and for encrypted and signed S/MIME messages. For example, if you are using a Netscape browser that is compliant with Public Key Cryptographic Standard #12 (PKCS #12), and have Internet certificates and keys (in compliance with PKCS #12) accessible from your local machine, you can import them into your Notes User ID file. On the same note, if you have Internet certificates and keys (in compliance with PKCS #12) in your Notes User ID file, you can export them to a file on your local machine and then import them to use with a Netscape browser. To import Internet certificates into your User ID file Choose File - Tools - User ID. Enter your Notes password. Click "More Options" and click "Import Internet Certificates." Select the file that contains the certificates in the "Specify PKCS12 File Containing the Internet Certificates" dialog box and then click Open. If the file is password protected, enter the password when prompted. Click "Accept All" in the "Accept Internet Certificates" dialog box to accept the certificates and any Private Keys in the file. Enter your Notes password. Note: To check that your certificates were imported into your ID file, choose File - Tools - User ID and click Certificates. You cannot import invalid certificates, or incomplete certificate chains.
26
https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start
Note:
If you use one of the e -mail programs provided by Microsoft (Outlook , Express), you are required to access the above site using Microsoft IE. If you are using Netscape Messenger to receive your e-mail, you must access the site using the Netscape browser.
27
Click on the link to retrieve the Citigroup Certificate Authority (CA) certificate.
28
The next screen will prompt you for a name for this CA. Please enter in something like the following: Citigroup CA and select FINISH. The window will close and Citibanks CA will have been installed in your browsers local keystore.
29
Click on the link to Retrieve the Citigroup Certificate Authority (CA) certificate. Using a Netscape browser, a series of dialog will appear.
MIME is defined in Request for Comments (RFC) 2045 through 2049. It defines how a message body can contain data types other than flat ASCII.
30
While the actual risk or likelihood of interception is relatively low, without S/MIME, someone along a message's journey could conceivably intercept one or more of these chunks of plain text and read at least part, if not all, of your message. To use a traditional postal analogy, this is similar to sending a postcard, where anyone who encounters that card along its way can read, and perhaps even modify, the message you write on the back of the card. Moreover, someone could write a postcard and forge your name and address on it, making their message appear to have come from you. Given the sensitive nature of the information being transferred to CitiDirect, protecting the message during transit is of utmost importance. To ensure the privacy and integrity of the data transmitted from CitiDirect to you, CitiDirect has 2 chosen to utilize S/MIME (Secure Multipurpose Internet Mail Extension) standard. S/MIME was designed to add security to e-mail messages in MIME format. The S/MIME standard was chosen since it has established itself as the de-facto standard for e-mail security within the industry. Moreover, S/MIME relies on state of the art Public Key cryptography and is supported in most of the popular e-mail programs on the market today. Popular e-mail programs (including Microsoft Outlook Express and Outlook 2000, as well as Netscape Communicator/Messenger) not only support S/MIME but actually interoperate with each other. This decision enables us to apply a full set of security functions to e -mail. These functions include: Confidentiality - provided by the use of 128bit DES strong encryption; Integrity - provided by the use of SHA-1 Digital Signatures; Authentication - provided by the use of X.509 Digital Certificates; Proof of a transaction or 'Non-Repudiation' as define by the Public Key Infrastructure (PKI)
S/MIME 3.0 became an Internet Engineering Task Force (IETF) approved standard In June 1999. Please refer to Requests for Comments (RFCs) 2632 through 2634 for further details on this standard.
31
programs (Outlook, Express), you are required to access the above site using Microsoft IE.
Additional details on obtaining and installing this certificate can be found in the Setup Details section of this Installation and Configuration Guide, but the Web site will also guide you through the process.
2. 3.
4.
If your e-mail program only displays two file attachments with the extension *.p7m and/or *.pls, then your e-mail program either does not support S/MIME or has not been properly configured. Please check your e-mail products installation and configuration documentation for enabling S/MIME functionality.
not
For instructions on importing a certificate into the various e-mail programs, please refer to your e-mail users guide. Instructions for some popular e-mail programs can be located in a later section of this document.
One vendor that supports various e-mail systems is Baltimore Technologies, found at: http://www.baltimore.com/securityapplications/mailsecure/index.html Baltimore Technologies MailSecure S/MIME enables the following e-mail programs:
Please Note: That this information is being presented here solely as a point of reference. Other commercial e-mail plug-in providers exist. You can choose what e-mail plug-in they require (if any) based on their corporate security policies and procedures.
33
Type A Requirements
No special requirements covered by in-session SSL.
Type B Requirements
Digital Certificate (Web cert for end-user) X.509 compliant Triple DES (DES ECE3 in CBC) using 168-bit key RC2 encryption in CBC mode using 128-bit key
S/MIME Aware E-mail Client such as: Microsoft Outlook Express 5.X (Windows version only) Microsoft Outlook 2000 Netscape Communicator 4.X (WinTel version only but not version 6.X)
34
Install a Web Server (if one is not already available) Microsoft IIS Version 4.X and above Netscape/iPlanet Web Server Version 4.X and above Apache HTTP Server (plus OPENSSL or mod SSL) Version 1.3 and above
Enable Secure Sockets Layer SSL (if not already enabled) Minimum encryption strength is 128-bit, 1024-bit session keys) Activate SSL security (on folder or root level) Other SSL configuration requirements
Create a user account for the exclusive use by CitiDirect GET functionality must be enabled for file Import PUT functionality must be enabled for file Export
Dedicated Internet connection minimum T1 (1.54Mbps) HTTPS connection on Port 443 for GET & PUT Acquire Digital Certificate from a Certificate Authority (CA)
Certificate must be an SLL Server Certificate on Citibank approved list (see appendix) Must support 128-bit encryption, 1024-bit session keys
Create a CitiDirect user (User ID and Password) on your Web server Citibank recommends password to be at least 6 characters in length and changed frequently NOTE when you change this password please ensure that it is changed in CitiDirect (Delivery Options Library) as well in order to avoid scheduled job fails NOTE you will provide this information to Citibank during the definition phase of Delivery Method (File Delivery scheduling process)
Establish Access Rights for this CitiDirect User For Export write (PUT) authorization is required For Import read (GET) authorization is required Ensure that access is given to the appropriate directory location(s) Ensure that the assigned directories are restricted to any/all other users
35
If there will be multiple Import Files then ensure that the HTTP LIST command is also enabled for the specified directory and user
Minimum Configuration Parameters for SLL v3 Cipher Suite RC4 or RC5 symmetric algorithm with 128-bit cipher strength RSA Public Key Algorithm with 1024-bit key strength SHA1 Message Authentication Hash / Digest Algorithm NOTE CitiDirect supported SSLv3 ciphers include; RC4 with MD5 RC2 with MD5 Triple DES with MD5
End-User Software and Certificate Requirements PCKS-7 standard Entrust Entelligence 6.0 software (can be obtained from Citibank) Ports to be opened if thru Citigroup 389 to check certificates against our directory services; 709 to send certificates to our CA; And 829 to renew the certificate. Use Entelligence to retrieve enterprise certificate from Citigroup
This security method is named None with SSL and can be configured within the Delivery option table found online in CitiDirect. Currently, this applies to files and reports delivered from CitiDirect AFRD to the customer. Payment files originating from the client for import into CitiDirect require file encryption.
36
When the New Certificate Authority windows displays, click NEXT to continue.
37
Another window will appear explaining the role of a Certificate Authority. Click Next to continue.
38
Another window displays where you can view (More Info) Citibanks Public Key information. Select More Info for certificate details. When complete select NEXT to continue.
39
After selecting NEXT, the above window appears where you MUST select at least the option for using the Citibank CA to certify e-mail users since Citibank will be sending you files signed using our Public Key.
40
Depending on your comfort level, please choose the appropriate option above and select NEXT.
41
The next screen will prompt you for a name for this CA. Please enter in something like the following Citigroup CA and select FINISH. The window will close and Citibanks CA will have been installed in your browsers local keystore.
42
Disclaimer
The authoritative and official text of this CitiDirect Online Banking documentation shall be in the English language as used in the United States of America. Any translation of any CitiDirect documentation from English to another language is done solely for the convenience of the reader, and any inconsistencies, or inaccuracies between the English text and that translation shall be resolved in favor of the English text. These materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusive use of CitiDirect Online Banking customers. The foregoing statement shall appear on all copies of these materials made by you in whatever form and by whatever means, electronic or mechanical, including photocopying or in any information storage system. In addition, no copy of these materials shall be disclosed to third parties without express written authorization of Citibank, N.A. Customer shall be solely responsible for the use of any User identifications, passwords and authentication codes that may be provided to it, from time to time, in connection with CitiDirect Online Banking (collectively, "User IDs"). Customer agrees to keep all User IDs strictly confidential at all times. Customer shall immediately cease use of CitiDirect Online Banking if it receives notification from Citibank, or otherwise becomes aware of, or suspects, a technical failure or security breach. Customer shall immediately notify Citibank if it becomes aware of, or suspects, a technical failure or security breach.
April, 2005 2005 Citibank, N.A. All rights reserved. CITIBANK, CITIDIRECT, WORLDLINK, CITIGROUP, and the Umbrella Device are trademarks and service marks of Citicorp or its affiliates and are used and registered throughout the world. Adobe, Acrobat, Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Actuate is a registered trademark of Actuate Corporation. Microsoft, Outlook and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. VeriSign and Thawte are registered trademarks of VeriSign in the United States and/or other countries. All other brands, products, and service names mentioned are trademarks or registered trademarks of their respective owners.