Answer ID 10551 |
Last Review Date 04/01/2019
Environment:
Email
Oracle B2C Service, All versions
Resolution:
This answer is intended to provide guidelines on how to setup email encryption and digital signing by using S/MIME. Before proceeding with these steps, it is important to understand what S/MIME signing and encryption is and how it is different than regular email security. For a better understanding of what security comes standard with your emails without S/MIME when using Oracle B2C Service, please review the following answer.
Oracle Mailboxes and TLS
*Note: There are certain situations where S/MIME security options are not available. Below is a list of situations.
- In Outreach and Feedback mailboxes.
- When editing multiple incidents simultaneously.
- When using delayed reporting on the Workspace editor. S/MIME works only if you clear the Delay Report Execution check box in the Report Behavior drop-down menu for the Contacts relationship item control on the Workspace editor’s Design tab.
What is S/MIME?
S/MIME is an industry standard for ensuring the security of message content through the use of electronic signatures, encryption, or both.
An email address that uses S/MIME has a
public certificate as well as a
private key that corresponds to the public certificate. The public certificate authenticates the sender and can be used for encryption. The person/entity who sends the email can use the receiver's public certificate to encrypt the email, which can then be decrypted only by the receiver using the receiver's private key.
For more information regarding S/MIME, please see our documentation below.
How do I set this up?
Setting up S/MIME in Oracle B2C Service is broken into two parts. The first is setting up the mailbox in Oracle B2C Service and the second is setting up the contact record.
*Note: The transfer of certificates needs to take place between a contact and the Oracle B2C Service site to allow for encryption. This will be covered in the second part of the setup.
Part 1: Setting up the mailbox in Oracle B2C Service
1) Obtain an email certificate and private key
There are many Certificate Authority vendors out there that will supply an email certificate such as DigiCert. When obtaining a certificate, it needs to be created for the Envelope From address of the mailbox as configured in your Oracle B2C Service site. This certificate should contain a private key as well and be in a password-protected Personal Information Exchange PKCS#12 format, using a .pfx or .p12 file extension. The certificate also needs to be capable of Key Encipherment (Encryption) and Digital Signing.
*Note: Oracle does not provide these certificates.
2) Upload the certificate to the mailbox
- In your site, navigate to Configuration>Site Configuration>Mailboxes and select the mailbox the certificate was created for.
- In the ribbon click on "Security".
- Under the section for S/MIME click the Browse icon to locate the .pfx or .p12 certificate created for the mailbox.
- Provide the original password used for the certificate and then you can apply a new password if you want or keep the same password.
- Save changes to the mailbox.
*Note: After the save, you may be presented with a notification. If it states, "Certificate is not trusted." this means that there is not a good path to the root certificate in your site. Your options are to obtain the root certificate from the vendor who supplied the certificate and upload it to file manager or to check the "Import untrusted certificates" found below the S/MIME section of the mailbox security settings. Please see the following link to our documentation for more information on uploading additional root certificates.
Part 2: Setting up the contact
Send signed emails
In order to encrypt emails, you must have the receiver's certificate. With this said, if you want to send an encrypted email to a contact from Oracle B2C Service the contact needs to have sent in a digitally signed email that contains their certificate. Oracle B2C Service will then store this certificate to the contact record in the contacts.cert field. Likewise, if you would like a contact to be able to send encrypted email to Oracle B2C Service, you must send a signed incident response to the contact. The contact can then store the certificate on their local machine.
To send a signed email from the contact's mail client, please review the documentation for that mail client.
To send a signed email from Oracle B2C Service, please follow these steps.
- In the incident, click Options and select the Always Show for Response and Show Sign/Encrypt check boxes below Email Message Header.
- Select the Sign check box. (*Note: You cannot select the Sign check box if the Service mailbox does not have a certificate that allows sending encrypted email.)
Setup Complete
Once the signed emails have been exchanged, you should be ready to use S/MIME and send encrypted emails. To send an encrypted email from Oracle B2C Service, please follow these two steps.
- In the incident, click Options and select the Always Show for Response and Show Sign/Encrypt check boxes below Email Message Header.
- To encrypt your response to the contact, click the Do Not Encrypt drop-down menu and select Encrypt When Possible or Encrypt Always. (*Note: You cannot select an encryption option if the contact you are responding to does not have a certificate that allows receiving encrypted email. If you select Encrypt Always, you can select only addresses that have certificates associated with them. )
For more information on sending signed and encrypted incident responses, please see our documentation below.
Sign and Encrypt an Incident Response
