Configuring corporate directories

In a security policy, you can indicate the LDAP directories to use to provide user certificates and configure the certificate search criteria in the directory.

Directories must be added beforehand in the Certificate library menu.

From their trusted address book, users can manually search for certificates from the LDAP directories selected in the policy:

The configuration of the trusted address book and associated LDAP directories can be looked up in read-only mode from the SDS Enterprise agent.

For more information, refer to the section Managing the trusted address book from the SDS Enterprise agent.

SDMC also makes it possible to indicate the addresses of the WKD servers used to encrypt PGP messages.

  1. Go to the menu Policy > Directories > LDAP.

  2. To prohibit the use of the "*" generic character as a suffix for searching for certificates in the directory, disable the first option.

  3. Click on Add from library in LDAP/LDAPS directories.

  4. Select one or more directories.

  5. Change the order of directories if necessary by clicking and dragging.

Every time the corporate LDAP directory is updated, SDMC makes it possible to automatically update the local trusted address book to reflect changes.

The options in the Trusted directory update section in the Policy > Directories > LDAP menu enable the modular configuration of automatic updates.

Activation and execution

  • Update the directory automatically: if this option is disabled, the options in the sections Activation and execution and Certificates update from an LDAP directory are grayed out.

  • Update frequency: indicate a value between 0 and 24.

  • Start the directory update when the user connects to the SDS account: enable this option to update the directory every time the user logs in, regardless of the update frequency defined above.
Certificates update from an LDAP directory Enable these options to update the statuses of certificates in the local directory.
Deletion of certificates expired/revoked/removed from the LDAP If you do not wish to delete from the local directory certificates that have expired or been revoked or removed from the LDAP directory, you can select the issuing certification authorities to filter the certificates that you wish to delete.

To enable users to send and receive e-mails encrypted in PGP format with the Stormshield Data Mail feature, you must:

  • Enable PGP message encryption/decryption in Features > Mail in the policy.

  • Add the addresses of one or several WKDs (Web Key Directories) to query in Directories > PGP. These public key directories allow Stormshield Data Mail to retrieve the public PGP keys belonging to the recipients of encrypted e-mails.

To add WKD servers:

  • In the PGP tab in the Directories menu, indicate the URLs of the WKD servers by following one of the formats below, and by adapting them to the domain (or sub-domain) names of the servers:

    • https://openpgpkey.optional-sub-domains.domain.toplevel/.well-known/openpgpkey/<d>/hu/<k>?get_parameters=optional

    • https://optional-sub-domains.domain.domain.toplevel/.well-known/openpgpkey/hu/<k>?get_parameters=optional
      Sections in bold in the URLs must be maintained as they are.

SDS Enterprise communicates with WKD servers in HTTPS. All computers on which Stormshield Data Mail has been installed must therefore have the certificate from the authority that issued the SSL certificate of the WKD server.