OS4X Enterprise - ComSecure
From OS4X
Contents |
What is ComSecure
ComSecure is a security toolkit used by (at least) Audi and VW for securing data interchange. It is a product of the company T-Systems.
How is ComSecure usable in OS4X
When sending OS4X jobs, ComSecure can be used in a configurable way to encrypt all files via an OS4X Enterprise plugin ("ComSecure encrypt"). Every partner can be configured to use a different partner certificate for encryption.
In receiving environments, the OS4X Enterprise plugin "ComSecure decrypt" shall be configured as the first plugin of the default receive plugin group. It automatically detects the correct key for decryption due to functionality in the installed ComSecure environment.
Managing OS4X ComSecure integration
OS4X offers an easier way of using ComSecure than using the commandline interface: it's being managed via web interface. This web interface solution is available at the administrative web interface in the menu point "Tools" -> "Manage ComSecure" (button).
Licensing
The actual licensing process is as follows:
- OS4X with ComSecure integration is being bought by OS4X customer
- OS4X customer asks OS4X license dealer for a ComSecure license
- license dealer contacts Gedas/T-Systems ComSecure support for a license with the name of the company of the OS4X customer
- license is being sent to OS4X license dealer via eMail
- license file is being forwarded to OS4X customer for import
Importing license
When no valid license is installed, the web interface offers an easy file upload mechanism for the license file.
Import partner certificate
A simple file upload mechanism provides partner certificate management. Just select the file you received and assign a ComSecure internal desription ("Partner ID"):
After successful upload and import, the list contains the certificate for later usage (with the given identification):
Plugin group integration
In order to use ComSecure for outgoing processes (say: encrypt outgoing files for the partner), you must define a plugin group for using the plugin "ComSecure encrypt". This is an example of such a plugin group where you may add additional plugins such as ENGDAT encoding, file movement etc.:
Assign plugin group to partner
In order to use this plugin group for outgoing jobs, assign it at the needed level (partner, location, department or recipient; the deepest configuration if set is used):
Right after that, you have to configure the plugin group to use a specific partner entry. Click on the icon or link "configure this plugin group":
A new window pops up (disable any blocking mechanisms like popup blocker etc.!) to configure the plugins of the plugin group:
Click into the text area (where here in this example "AUDI" is contained) to configure the used partner entry:
Select an entry to activate it as configured entry.
Receiving ComSecure encrypted files
In order to decrypt files correctly, it depends in which way they are handled:
All files are transfered encrypted
This includes also possible ENGDAT abstract files. Recommendations say to integrate the plugin "ComSecure decrypt" into the configured default receive plugin group:
ENGDAT abstract files are not encrypted, the payload of the job is encrypted
In order to minimize payload of the server, you should integrate the ComSecure decryption into a separate receive plugin group for execution after OS4X has retrieved the destination information. Configure this special plugin group as the receive plugin group of your recipients.
Troubleshooting
In order to use ComSecure manually, please use the following guidelines:
export GDCSCONFFILE=/opt/os4x/ComSecure/conf/gdcsconfig.ini- start every call of every ComSecure binary in its binary installation directory with its absolute path. Example:
cd /opt/os4x/ComSecure/bin; ./gdcskeyimp ...
- the license is located (default) at:
/opt/os4x/ComSecure/lic/rdkey.datas referenced in the configuration file/opt/os4x/ComSecure/conf/gdcsconfig.ini:
[CONFIGURATION] KEYCNFFILE = /opt/os4x/ComSecure/conf/gdcskeycnf.ini KEYIMPORTDIR = /opt/os4x/ComSecure/keydir LICFILE = /opt/os4x/ComSecure/lic/rdkey.dat
