CitiDirect Online Banking...Lotus Notes ® ... CitiDirect Online Banking. Microsoft Outlook Express...
44
CitiDirect ® Online Banking Automated File and Report Delivery (AFRD): E-mail Set Up Guide
Transcript of CitiDirect Online Banking...Lotus Notes ® ... CitiDirect Online Banking. Microsoft Outlook Express...
CitiDirect® Online Banking
Automated File and Report Delivery (AFRD): E-mail Set Up Guide
Proprietary and Confidential
These materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusive use of CitiDirect® Online Banking customers. The foregoing statement shall appear on all copies of these materials made by you in whatever form and by whatever means, electronic or mechanical, including photocopying or in any information storage system. In addition, no copy of these materials shall be disclosed to third parties without express written authorization of Citibank, N.A.
Please Note:
The information contained in this section is intended to assist you in establishing the environment and configuration required to successfully use CitiDirect Online Banking Automated File and Report Delivery (AFRD).
It provides details on obtaining and installing end-user certificates, configuring the Web server and generating key pairs. Screen shots are provided for aid in understanding the instructions, although the actual screens may differ. We tried to cover some of the more common vendor products. It is not intended to replace information that you should obtain directly from your e-mail vendor, certificate authority of choice and Web server vendor.
1
Table of Contents
Introduction .............................................................................................................................................................. 2
Overview .................................................................................................................................................................... 3
Obtaining Your Personal E-mail Certificate .......................................................................................................... 3
Setting up Your E-mail Client for S/MIME ............................................................................................................. 3
Obtaining the Citigroup Certificate Authority Certificate ................................................................................ 3
Setting Up Your E-mail Client for S/MIME .......................................................................................................... 4
Microsoft® Outlook® 2000 .......................................................................................................................................4
Microsoft Outlook Express 5.X ...............................................................................................................................18
Microsoft Outlook Express 4.0 .............................................................................................................................. 19
Microsoft Outlook 98 ...............................................................................................................................................19
Netscape 4.x (Communicator/Messenger) ........................................................................................................20
Netscape Communicator/Messenger...................................................................................................................22
Lotus Notes® ..............................................................................................................................................................23
Retrieving the Citigroup CA (Root) Certificate ................................................................................................24
Retrieving the Citigroup CA (Root) Certificate Using IE .................................................................................25
Retrieving the Citigroup CA (Root) Certificate Using Netscape ...................................................................27
File and Report Processing via E-mail ...............................................................................................................28
Understanding E-mail Security (S/MIME) ...........................................................................................................28
End-User Certificate Requirements (E-mail) ......................................................................................................29
General Characteristics of AFRD E-mail Delivery .............................................................................................29
CitiDirect Processing (Sign, Encrypt and Send) ................................................................................................29
Client Processing (Verify Signature, Decrypt and View ..................................................................................30
S/MIME E-mail Support ...........................................................................................................................................30
E-mail Programs That Do NOT Support S/MIME ................................................................................................31
S/MIME Plug-ins for Entrust Enterprise Certificates ........................................................................................31
AFRD Installation/Requirements Checklist ......................................................................................................32
Client Functionality Requested .............................................................................................................................32
Type “A” Requirements ...........................................................................................................................................32
Type “B” Requirements SMTP — S/MIME (E-mail) ........................................................................................... 32
Type “C” Requirements HTTPS (Web Server) .................................................................................................. 32
Type “D” Requirements HTTPS — SSL Encryption Only (Web Server) ....................................................... 34
Disclaimer ................................................................................................................................................................41
2
Introduction
Automated File and Report Delivery was designed to be secure but flexible, using common standards and tools wherever possible. In most cases you can choose from a number of different Web servers, mail clients, Certificate Authorities (CA), etc., that meet AFRD requirements. Because of this, it is impossible to fully document, in detail, the installation and configuration of every workable scenario. This guide defines requirements, lists solutions that have been tested by Citibank and offers other suggestions. In addition, it provides details around the certificate process for popular e-mail programs and the setup and creation of certificates for approved Web servers. These details are only intended as a useful reference and in no way are meant to replace product-specific documentation that you should reference to best accomplish the required activities.
Please refer to the Automated File and Report Delivery Configuration and Installation Guide as a prerequisite reading before proceeding with this guide.
3
Obtaining Your Personal E-mail CertificateCitiDirect® Online Banking supports any X.509v3 compliant Personal/E-mail certificate issued by a standard Certificate Authority (CA), such as VeriSign.
Moreover, if you have your own Certificate Server installed, such as Microsoft® Certificate Server or Netscape® Certificate server, CitiDirect Online Banking will also honor these certificates.
Although we do not require a specific certificate from a specific CA, Citibank strongly recommends that you deal with a reputable CA with auditable policies and procedures on certificate issuance and administration.
Please refer to the Digital Certificate Summary grid in the Configuration and Installation Guide for general requirements and general end-user experience in obtaining and installing digital certificates. Once you obtain your certificate you will need to import it into your e-mail desktop personal computer (PC) and ensure that your e-mail is properly set up.
Please use these instructions solely as a reference of what needs to occur. Follow your products-specific documentation on how best to accomplish this activity.
Setting up Your E-mail Client for S/MIMEWhat follows is a step-by-step process of what needs to be done to enable some of the more popular e-mail programs for S/MIME. Although the following instructions are considered accurate (as of the date of this document), Citibank strongly suggests that you follow your products-specific user guides to configure your e-mail program for SMIME.
Complete instructions and screen shot are included, as an example, for Microsoft® Outlook® 2000. More of an overview and guidelines are provided for the other e-mail programs.
Obtaining the Citigroup Certificate Authority CertificateThe last process in this section provides instructions for obtaining the Citigroup CA Certificate. This is required for AFRD e-mail delivery and must also be imported into your e-mail client.
Overview
4
Setting Up Your E-mail Client for S/MIME
Microsoft® Outlook® 2000These instructions apply specifically to Microsoft Outlook 2000 on Microsoft Windows® 2000. The procedure will remain the same for later versions of Outlook except some minor differences.
One way to get a digital certificate is to use a wizard in Outlook 2000. Select Tools, then Options from the pull-down menu. This will open up the Options dialog box. Select the Security tab. Select the Get a Digital ID button.
Selecting this button (Get a Digital ID) will launch your browser and display a Web page hosted by Microsoft with links to several Certificate Authorities. Pick a CA and follow their instructions on obtaining a personal/e-mail digital certificate.
During the certificate retrieval process, you will be asked to install the certificate in the browser/e-mail client of your choosing, in this case Microsoft Outlook 2000. Click the Install button.
The following steps illustrate the entire process, using VeriSign® as a typical CA. The actual experience will vary according to the CA you have selected.
5
Select the VeriSign Link.
Go to Products and Services.
6
Select Secure Messaging under Retail Services.
For illustration purposes, we will “Try a Digital ID Free for 60 Days.”
7
Enroll Now for a Class 1 Digital ID.
Complete the application.
8
For the Cryptographic Service Provider Name: select Microsoft Strong Encryption Encoder.
Since these digital certificates are tied to an individual e-mail address, confirm that the address is correct. This completes the application process. VeriSign will send an e-mail confirmation.
9
A second e-mail, Quick Installation Instructions, provides your Digital ID PIN and the URL to get your certificate.
10
Go to the URL provided, enter PIN and click Submit. This installs the certificate in your browser.
In your Browser, go to Tools, Internet Options, Content and Certificates. From this screen you can: view the certificate by highlighting it and selecting View.
11
Select Advanced and click on the Details tab for further information.
Or you can…
Press the Export button. You have a choice to export your certificate with or without the Private Key. If you need to export your certificate so that you can import it into your mail client, choose that option.
12
Note: If both your browser and mail client are Microsoft products, this should not be necessary.
The illustration below shows you exporting only your Public Key. This will be needed later, as it must be uploaded to CitiDirect Online Banking (S/MIME) Administration Service Class for you to be able to use Automated File and Report Delivery.
CitiDirect Online Banking only needs the Public Key.
Save the key to an easily remembered file on your PC.
13
If you do need to install the entire certificate (Public and Private Keys) on your e-mail client, these alternative screens will be shown:
14
Select Strong Encryption. Your Private Key requires a Password. Type and Confirm.
Click Finish, then OK.
15
The alternative screen for exporting with the Private Key is shown.
16
If you need to import your certificate into Outlook, go to Outlook, Tools, Options, Security, Import Export button. Click (Browse) your certificate location, the password you created and name it. Click OK.
To confirm or change the setup of your certificate and e-mail, open Outlook. From the Tools menu, click Options and then select the Security tab. The following screen appears:
Click the Setup Secure E-mail button under the Secure e-mail section. The Change Security Settings dialog displays.
17
Outlook 2000 views your certificates, determines which ones are valid for e-mail encryption and digital signatures, and chooses a certificate for each. If the certificates that Outlook selects are not the ones you want to use, you can change the default selections.
Click the Choose button in the Encryption Certificate section to select a certificate for e-mail encryption.
Note: CitiDirect Online Banking requires that the Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup.
If the certificates do not match, use the dropdown menu to select the appropriate certificate and click OK.
Note: You may want to change other settings on this page if you plan on using S/MIME to send mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choices should reflect your personal preferences.
Click OK to close the Change Security Settings dialog box and return to the Options dialog box.
Click Apply and then click OK to close the Options dialog box.
18
1. Validating a E-mail Message Signature
For Outlook 2000, you can validate the signature of a message by clicking on the certificate icon in the upper right hand corner. Clicking on the “red” certificate icon will open up a window detailing the signature that was used to sign the message. Ensure that the signature states that it was signed by CitiDirect Online Banking.
Microsoft Outlook Express 5.XHere are the steps needed to configure Outlook Express to read S/MIME Secure Mail messages. The procedure will remain the same for later versions of Outlook Express except with some minor differences.
From the Tools menu, click Accounts and then click the Mail tab. Select your mail account, and click the Properties button. Click the Security tab to display security-related properties for your mail account. In the Signing certificate area, click Select. The Select Default Account Digital ID dialog box appears.
Click the certificate you would like to use. Outlook Express recognizes only those certificates for S/MIME use that include your e-mail address in the certificate’s Subject field.
Note: CitiDirect requires that Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup.
Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences.
Click Apply and then click OK to close the Select Default Account Digital ID dialog box.
Click OK to close the Properties dialog box for your mail account.
Click Close to close the Internet Accounts dialog box.
19
Microsoft Outlook Express 4.0The next screen you will see is the option to install the certificate in the browser/e-mail client you want to use. In this, case Microsoft Outlook Express 5.X. Click the Install button.
On the Tools menu, click Accounts. Click the Mail tab, click the mail account in which you want to use a Digital ID, and then click Properties. On the Security tab, click the “Use a Digital ID when sending secure messages from <e-mail address>” check box to select it and then click Digital ID.
Note: CitiDirect requires that Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup.
If the certificates do not match, using the dropdowns, select the appropriate certificate and select OK.
Note: You may want to change other settings on this page if you plan on using S/MIME to send mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences.
Click the appropriate certificate, click OK, and then click Close.
Note: If you do not have CitiDirect’s (the sender’s) certificate (Public Key) imported into your address book, Outlook Express displays the following security warning message:
“The certificate used to sign this message is either not listed in your Address Book or marked as not trusted by you. Continue to open this message?”
If you have the sender’s Public Key imported into your address book and the certificate is marked as Not Trusted By Me, Outlook Express displays the following security warning message:
“You do not trust the certificate used to sign this message. Continue to open this message?”
Microsoft Outlook 98The next screen you will see is the option to install the certificate in the browser/e-mail client you want to use, in this case Microsoft Outlook 98. Click the Install button.
To import a downloaded Digital ID into your address book for Outlook 98:
Open Contacts from Outlook 98 (Click on the Contacts icon). Add CitiDirect (** need exact e-mail address here ****) to your contact list. Select the Certificates tab in the Contact window. Click on the Import button. Locate the Digital ID you downloaded from CitiDirect and click the Open button. Click on Save and close.
Note: CitiDirect requires that the Encryption Certificate matches the certificate that was uploaded to CitiDirect during the e-mail delivery setup.
20
If the certificates do not match, make the appropriate changes using the supplied User Interface and select OK.
Note: You may want to change other settings on this page if you plan on using S/MIME to SEND mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, this choice should reflect your personal preferences.
Netscape 4.x (Communicator/Messenger)What follows are instructions for getting a Digital ID for Sending/Receiving Secure Messages (S/MIME) and Installing it in Netscape 4.X.
Please refer to the following site for more information on using S/MIME with Netscape Messenger.
http://www.verisign.com/smime/guide/nsemail.html
To get a digital certificate, you must first decide which CA (Certificate Authority) you would like to use. If you follow the Security, Certificates, Yours, Get a Certificate option within Netscape, you will be taken to a page where you can pick from a predefined list of Certificate Authorities. Pick a CA; follow its enrollment instructions for personal/e-mail certificates. Toward the end of the process you will be prompted by Netscape to generate a Private Key.
For Netscape Communicator you will be asked to generate your Private Key for the certificate request. The following screen will appear.
Click OK to continue. The next screen will require you to enter your password to access your private keystore.
21
If you have recently installed Netscape on your system or have never used any of Netscape’s security features, you may be asked to create and set up a Netscape Communicator password. Citibank highly recommends taking this action. By doing so, you effectively prevent any individual, other than yourself, from managing, importing or exporting digital certificates on your machine. This password also restricts other individuals from sitting down at your machine and signing e-mail messages with your Digital ID.
Note: Be sure to remember your Communicator password. This is a Netscape function, included with Communicator for your security. If you forget your password, you will not have access to manage, deploy or use your Digital ID. There is nothing your CA and/or Netscape can do in the event that this happens and ANY digital certificates you may have will be rendered useless.
The Authentication Phase, carried out by your CA. Depending on the type of certificate you are requesting this process might be quite simple or rather complex.
After you complete the enrollment process explained in the above steps, depending on your CA and the type of certificate you requested, they will either e-mail you that your certificate is available or send you some form of postal mail. Irrespective of the mode of delivery, the message will contain specific information on how you can pick up your Digital ID.
This mailing usually includes such items as a URL you can use to get your Digital ID along with some form of PIN number.
Go to the URL included in the e-mail and complete the Certificate retrieval process.
Note: Since you will be installing your Digital ID in Netscape, you must go to the pickup page using Netscape Communicator. This causes the Digital ID to be installed in your browser, in turn allowing the Netscape Messenger client to locate it.
The Retrieval Phase consists of getting your certificate for use. For e-mail certificates, most CA will notify you of your certificates’ availability using e-mail. For other certificate types, server, for example, some certificate authorities use e-mail, others may use the postal service. Irrespective of the method of communication, most will provide you with a URL where you can retrieve your certificate online. Follow your CA’s instructions for retrieving your certificate.
If you retrieve your certificate using Netscape (Communicator/Messenger), a series of windows will be displayed requesting that you name and save your certificate.
Select OK to continue.
22
You may want to select the Save As button to keep a copy of your personal certificate for backup purpose.
Click Continue. This completes the certificate retrieval process.
To verify that your Digital ID pickup has been successfully installed in Netscape Communicator, click on the Security tab at the top of the browser window.
Under Certificates, click Yours. Your named certificate should be displayed.
Your e-mail client is now ready to receive S/MIME messages.
Netscape Communicator/MessengerTo ensure security and privacy, Netscape Messenger provides encryption (scrambling) and digital signing (authentication) of e-mail messages. Messenger’s privacy features comply with the Secure Multipurpose Internet Mail Extensions (S/MIME) standard. The S/MIME standard allows Messenger to send and receive encrypted messages and authenticate received messages. Using the S/MIME standard, Messenger also provides features that detect message tampering.
To enable Messenger with S/MIME follow these instructions:
Click the Security tab at the top of the Communicator windows.
Select Messenger from the pop-up window’s left pane.
In the field requesting which certificate to use for singing and encrypting (“Certificate for Your Signed and Encrypted Messages:”) select your newly created certificate.
Note: CitiDirect requires that the Encryption Certificate displayed here matches the certificate that was uploaded to CitiDirect during the e-mail Delivery setup.
If the certificates do not match, using the dropdowns, select the appropriate certificate and select OK.
Note: You may want to change other settings on this page if you plan on using S/MIME to send mail to other individuals. Since you will not be sending S/MIME mail to CitiDirect, these choices should reflect your personal preferences.
Click OK and close the Security Window.
23
Lotus Notes®
You can import Internet certificates into your Notes® User ID. You can also export Internet certificates from your Notes User ID. Importing Internet certificates allows you to use them for SSL client authentication, and for encrypted and signed S/MIME messages. For example, if you are using a Netscape browser that is compliant with Public Key Cryptographic Standard #12 (PKCS #12), and have Internet certificates and keys (in compliance with PKCS #12) accessible from your local machine, you can import them into your Notes User ID file. On the same note, if you have Internet certificates and keys (in compliance with PKCS #12) in your Notes User ID file, you can export them to a file on your local machine and then import them to use with a Netscape browser.
To import Internet certificates into your User ID file:
Choose File — Tools — User ID.
Enter your Notes password.
Click More Options and click Import Internet Certificates.
Select the file that contains the certificates in the Specify PKCS12 File Containing the Internet Certificates dialog box and then click Open.
If the file is password protected, enter the password when prompted.
Click Accept All in the Accept Internet Certificates dialog box to accept the certificates and any Private Keys in the file.
Enter your Notes password.
Note: To check that your certificates were imported into your ID file, choose File — Tools — User ID and click Certificates. You cannot import invalid certificates or incomplete certificate chains.
24
Retrieving the Citigroup CA (Root) Certificate
This certificate is only required when the delivery method is e-mail. It allows you to automatically trust all certificates signed by Citibank.
You can retrieve Citigroup’s Certificate Authority (CA) Certificate by accessing Citibank’s Web site at the following location:
https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start
Note:
If you use one of the e-mail programs provided by Microsoft (Outlook, Express), you are required to •access the above site using Microsoft IE.
If you are using Netscape• ® Messenger to receive your e-mail, you must access the site using the Netscape browser.
Instructions begin on the next page.
25
Retrieving the Citigroup CA (Root) Certificate Using IE:
Click on the link to retrieve the Citigroup Certificate Authority (CA) certificate.
26
The next screen will prompt you for a name for this CA. Please enter in something like the following: “Citigroup CA” and select Finish. The window will close and Citibank’s CA will have been installed in your browser’s local keystore.
27
Retrieving the Citigroup CA (Root) Certificate Using Netscape:
Click on the link to retrieve the Citigroup Certificate Authority (CA) certificate.
Using a Netscape browser, a series of dialogs will appear.
28
File and Report Processing via E-mail
Understanding E-mail Security (S/MIME)An Internet mail message consists of a message header, which contains sender and recipient information, and an optional message body. The message body can contain plain text or contain multiple body parts or file attachments as defined by the MIME standard. MIME1 defines a standard mechanism for incorporating multiple message types in a single e-mail message. However, it does not define how to secure the message body. S/MIME provides the required security extensions that let MIME entities encapsulate security objects, such as digital signatures and encrypted messages. Through these extensions, the privacy and integrity of your e-mail can be guaranteed.
While the actual risk or likelihood of interception is relatively low, without S/MIME, someone along a message’s journey could conceivably intercept one or more of these chunks of plain text and read at least part, if not all, of your message. To use a traditional postal analogy, this is similar to sending a postcard, where anyone who encounters that card along its way can read, and perhaps even modify, the message you write on the back of the card. Moreover, someone could write a postcard and forge your name and address on it, making their message appear to have come from you. Given the sensitive nature of the information being transferred to CitiDirect, protecting the message during transit is of utmost importance.
To ensure the privacy and integrity of the data transmitted from CitiDirect to you, CitiDirect has chosen to utilize S/MIME2 (Secure Multipurpose Internet Mail Extension) standard. S/MIME was designed to add security to e-mail messages in MIME format. The S/MIME standard was chosen since it has established itself as the de-facto standard for e-mail security within the industry. Moreover, S/MIME relies on state-of-the-art Public Key cryptography and is supported in most of the popular e-mail programs on the market today. Popular e-mail programs (including Microsoft® Outlook® Express and Outlook, as well as Netscape Communicator/Messenger) not only support S/MIME but actually interoperate with each other.
This decision enables us to apply a full set of security functions to e-mail. These functions include:
Confidentiality — provided by the use of 128bit DES strong encryption;•
Integrity — provided by the use of SHA-1 Digital Signatures;•
Authentication — provided by the use of X.509 Digital Certificates;•
Proof of a transaction or “Non-Repudiation” — as defined by the Public Key Infrastructure (PKI).•
1 MIME is defined in Request for Comments (RFC) 2045 through 2049. It defines how a message body can contain data types other than flat ASCII.
2 S/MIME 3.0 became an Internet Engineering Task Force (IETF) approved standard In June 1999. Please refer to Requests for Comments (RFCs) 2632 through 2634 for further details on this standard.
29
End-User Certificate Requirements (E-mail)Given that S/MIME relies on PKI, you will need to acquire a Personal E-mail Certificate (X.509) from an independent Certifying Authority (CA). VeriSign is one of the most popular certificate authorities. http://www.verisign.com/
CitiDirect recommends using S/MIME with the following symmetric encryption algorithms: ? Triple DES (more correctly DES ECE3 in CBC) using 168-bit key ? RC2 encryption in CBC mode using 128-bit key
You will also need to obtain another certificate for each end-user, which will allow you to automatically trust all certificates signed by Citibank.
This certificate, Citigroup’s (Citibank) CA certificate, is obtained by accessing Citibank’s Web site at the following location:
https://digitalcertificate.citigroup.com/cda-cgi/clientcgi?action=start
Note: If you are using Netscape Messenger to receive your e-mail you must access the site above using the Netscape browser. If you would like to use Microsoft’s e-mail programs (Outlook, Express), you are required to access the above site using Microsoft IE.
Additional details on obtaining and installing this certificate can be found in the “Setup Details” section of this Installation and Configuration Guide, but the Web site will also guide you through the process.
General Characteristics of AFRD E-Mail DeliveryOnly one e-mail address may be specified for each automated e-mail delivery schedule.
Our mail server imposes a file size limitation of 25mb.
Due to its nature, e-mail delivery is NOT GUARANTEED. CitiDirect will know only whether it has successfully submitted the e-mail to the mail system processor (SMTP server) for delivery. CitiDirect will not know whether e-mail subsequently reached its intended recipient.
You may apply different processing controls to your e-mail activities. For example, you may configure your e-mail servers to reject e-mails with attachments that are greater than a certain size. Or you may defer delivery of e-mails with such attachments. You also may require administrative procedures to accept receipt of e-mails from a restricted list of domains outside of the company, etc.
CitiDirect Processing (Sign, Encrypt and Send)To guarantee message privacy, CitiDirect Online Banking will encrypt all mail using the TripleDES algorithm (symmetric cipher), and a randomly generated secret key (generated per message). CitiDirect will then apply a one-way hash (SHA-1) on the encrypted data to obtain a checksum of the data. CitiDirect will then apply a Digital Signature to the message by encrypting the checksum (using an asymmetric cipher) using its own Private Key. The session key is then encrypted using the recipient’s Public Key so that it can be retrieved by you as the recipient. All of these objects/structures are then assembled into an e-mail message and sent using SMTP (e-mail protocol) to the recipient’s e-mail address.
30
Client Processing (Verify Signature, Decrypt and View)For you to decrypt and verify the integrity of the message, you must have obtained the root CA certificate of Citibank. Please refer to the section entitled “Setup Details” for more information on how to obtain it.
Assuming you have an S/MIME aware e-mail program, when the e-mail arrives at your inbox, the following steps are performed:
You receive a warning message stating that the message is encrypted. Depending on the e-mail 1. program, you may have to select some option to continue processing the message.
The session key information (protecting the message) is decrypted using your Private (secret) Key.2.
The message signature is validated using the Public Key of Citibank (and/or CitiDirect Online 3. Banking’s Public Key which were previously obtained).
The message is decrypted for viewing/processing.4.
If your e-mail program only displays two file attachments with the extension *.p7m and/or *.pls, then your e-mail program either does not support S/MIME or has not been properly configured. Please check your e-mail products’ installation and configuration documentation for enabling S/MIME functionality.
S/MIME E-mail SupportThe following table highlights those e-mail programs that support S/MIME and should function properly with CitiDirect Online Banking’s Automated File and Report Delivery Service.
E-mail ProgramCitiDirect
TestedComments
Microsoft Outlook 98 NO Requires security patch
Microsoft Outlook Express 5.X YES Windows version only (Not on the Mac)
Microsoft Outlook 2000 YES Supports S/MIME
Microsoft Outlook 2003 YES Supports SMIME
Microsoft Outlook Mac version 8.21 or greater
NO Supports S/MIME
Microsoft Outlook Express 4.X NO Supports S/MIME
Netscape Communicator 4.X YES WinTel version only but NOT version 6.X
Novel Groupwise 6.0 NO Supports S/MIME
Eudora Pro YES Requires Plug-in (Entrust) (Mac not supported)
For instructions on importing a certificate into the various e-mail programs, please refer to your e-mail users guide. Instructions for some popular e-mail programs can be located in a later section of this document.
31
E-mail Programs That Do NOT Support S/MIMEThe following table illustrates some popular e-mail programs that either do not function properly for AFRD, or do not support the S/MIME standard.
Program Comments
Microsoft Outlook Express All Mac versions are NOT Supported
MS Exchange Client (all versions) NOT supported
Netscape Communicator Version prior to 4.X are NOT supported On WinTel version 6.0 is NOT supported All other platforms are NOT supported
One vendor that supports various e-mail systems is Baltimore Technologies, found at: http://www.baltimore.com/securityapplications/mailsecure/index.html
Baltimore Technologies MailSecure S/MIME enables the following e-mail programs:
Microsoft Exchange•
Microsoft Outlook•
Lotus• ® Notes™ Qualcomm Eudora
Please Note: This information is being presented here solely as a point of reference. Other commercial e-mail plug-in providers exist. You can choose what e-mail plug-in they require (if any) based on their corporate security policies and procedures.
S/MIME Plug-ins for Entrust Enterprise CertificatesThe Entrust EntelligenceTM E-mail Plug-in (currently called Entrust Express), along with Entrust Entelligence 7.1TM, can be used with a variety of e-mail applications such as Microsoft Exchange, Microsoft Outlook and Lotus Notes.
It can be obtained through Citigroup or from the Entrust Web site located at: http://www.entrust.com/entelligence/email/index.htm.
Please note: If you are required (and/or prefer) to utilize Entrust Enterprise certificates to secure your e-mail communication, the Entrust Express e-mail plug-in must also be used with your e-mail program regardless of whether or not the program supports S/MIME natively.
32
AFRD Installation/Requirements Checklist
Client Functionality Requested
Scheduled Reports to Browser — Type A Scheduled Export File(s) via E-mail — Type B
Scheduled Reports via E-mail — Type B Scheduled Export File(s) via HTTPS — Type C
Scheduled Reports via HTTPS — Type C Scheduled Import File(s) via HTTPS — Type C
Reports via HTTPS (SSL Encryption Only) — Type D
Exports File(s) via HTTPS (SSL Encryption Only) — Type D
Type “A” Requirements
No special requirements — covered by in-session SSL.
Type “B” Requirements SMTP — S/MIME (E-mail)
Digital Certificate (Web cert for end-user)
X.509 compliant•
Triple DES (DES ECE3 in CBC) using 168-bit key•
RC2 encryption in CBC mode using 128-bit key•
S/MIME Aware E-mail Client such as:
Microsoft Outlook Express (Windows version only)•
Microsoft Outlook •
Netscape Communicator 4.X (WinTel version only but not version 6.X)•
Mail Server that supports native S/MIME such as:
Exchange•
HP OpenMail configured for IMAP or POP3 (not MAPI)•
Type “C” Requirements HTTPS (Web Server)
Install a Web Server (if one is not already available)
Microsoft IIS Version 4.X and above•
Netscape/iPlanet Web Server Version 4.X and above•
Apache HTTP Server (plus OPENSSL or mod SSL) Version 1.3 and above•
Enable Secure Sockets Layer — SSL (if not already enabled)
Minimum encryption strength is 128-bit, 1024-bit session keys•
33
Activate SSL security (on folder or root level)•
Other SSL configuration requirements•
Create a user account for exclusive use by CitiDirect
GET functionality must be enabled for file import•
PUT functionality must be enabled for file export•
Dedicated Internet connection minimum T1 (1.54Mbps)
HTTPS connection on Port 443 for GET & PUT
Acquire Digital Certificate from a Certificate Authority (CA)
Certificate must be an SLL Server Certificate on Citibank approved list (see appendix)•
Must support 128-bit encryption, 1024-bit session keys•
Create a CitiDirect user (User ID and Password) on your Web server
Citibank recommends password to be at least six characters in length and changed frequently•
NOTE — when you change this password please ensure that it is changed in CitiDirect (Delivery •Options Library) as well in order to avoid scheduled job fails
NOTE — you will provide this information to Citibank during the definition phase of Delivery Method •(File Delivery scheduling process)
Establish Access Rights for this CitiDirect User
For Export write (PUT) authorization is required•
For Import read (GET) authorization is required•
Ensure that access is given to the appropriate directory location(s)•
Ensure that the assigned directories are restricted to any/all other users•
If there will be multiple Import Files then ensure that the HTTP LIST command is also enabled for the •specified directory and user
Minimum Configuration Parameters for SLL v3 Cipher Suite
RC4 or RC5 symmetric algorithm with 128-bit cipher strength•
RSA Public Key Algorithm with 1024-bit key strength•
SHA1 Message Authentication Hash / Digest Algorithm•
NOTE — CitiDirect supported SSLv3 ciphers include:•
RC4 with MD5 —
RC2 with MD5 —
Triple DES with MD5 —
34
End-User Software and Certificate Requirements
PCKS-7 standard•
Entrust Entelligence 7.1 software (can be obtained from Citibank)•
Ports to be opened if through Citigroup•
389 to check certificates against our directory services; —
709 to send certificates to our CA; —
And 829 to renew the certificate. —
Use Entelligence to retrieve enterprise certificate from Citigroup•
Type “D” Requirements HTTPS — SSL Encryption Only (Webserver)Exact same requirements documented for Type “C” except there is no end-user software or certificate •requirements. A customer can select to have data files and reports delivered through an encrypted SSL session without extra encryption on the file and/or report itself.
This security method is named “None with SSL” and can be configured within the Delivery option table •found online in CitiDirect. Currently, this applies to files and reports delivered from CitiDirect AFRD to the customer. Payment files originating from the client for import into CitiDirect require file encryption.
35
When the New Certificate Authority window displays, click Next to continue.
36
Another window will appear explaining the role of a Certificate Authority. Click Next to continue.
37
Another window displays where you can view (More Info) Citibank’s Public Key information. Select More Info for certificate details. When complete select Next to continue.
38
After selecting Next, the above window appears where you MUST select at least the option for using the Citibank CA to certify e-mail users since Citibank will be sending you files signed using our Public Key.
39
Depending on your comfort level, please choose the appropriate option above and select Next.
40
The next screen will prompt you for a name for this CA. Please enter in something like the following “Citigroup CA” and select Finish. The window will close and Citibank’s CA will have been installed in your browser’s local keystore.
41
The authoritative and official text of this CitiDirect Online Banking documentation shall be in the English language as used in the United States of America. Any translation of any CitiDirect documentation from English to another language is done solely for the convenience of the reader, and any inconsistencies, or inaccuracies between the English text and that translation shall be resolved in favor of the English text.
These materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusive use of CitiDirect Online Banking customers. The foregoing statement shall appear on all copies of these materials made by you in whatever form and by whatever means, electronic or mechanical, including photocopying or in any information storage system. In addition, no copy of these materials shall be disclosed to third parties without express written authorization of Citibank, N.A.
Customer shall be solely responsible for the use of any User identifications, passwords and authentication codes that may be provided to it, from time to time, in connection with CitiDirect Online Banking (collectively, “User IDs”). Customer agrees to keep all User IDs strictly confidential at all times. Customer shall immediately cease use of CitiDirect Online Banking if it receives notification from Citibank, or otherwise becomes aware of, or suspects, a technical failure or security breach. Customer shall immediately notify Citibank if it becomes aware of, or suspects, a technical failure or security breach.
January 2010
Disclaimer
Global Transaction Services www.transactionservices.citigroup.com
© 2010 Citibank, N.A. All rights reserved. Citi and Arc Design, Citibank, CitiDirect and WorldLink are trademarks and service marks of Citigroup Inc. or its affiliates, used and registered throughout the world. All other trademarks are the property of their respective owners.
WorldLink® Payment Services is owned and operated by Citibank Europe plc, a Dublin (Head Office) based and incorporated subsidiary of Citigroup Inc.
598200 GTS25399 1/10
