Sybernet / Supplied Software
Release 3.00
Jun 15, 2008

SSL Sybernet

The SSL version of Sybernet allows you to connect directly to Sybernet with your client certificate, by-passing your SSL web server and the Sybernet CGI. The SSL version of Sybernet was built using OpenSSL. OpenSSL implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

The SSL version of Sybernet is available at https://mis.sri.com:7777/, which is unavailable from outside our network.

This document describes how you can send encrypted e-mail to a client. It does not matter that you are running the SSL version of Sybernet or the non-SSL version of Sybernet. The version of Sybernet running on oradev, oradssd, and oraprod is a non-SSL version of Sybernet that is OpenSSL aware.

You will want to note the following parameters to SP_CRON_INSERT when sending encrypted e-mail:

argument Description 
contenttype
 		 application/x-pkcs7-mime 
disposition
 		 Disposition is required if your content-type is not text/html. Disposition is required if you want to name this document. Disposition is required if you wish your e-mail to be an attachment.

Sybernet allows you to specify a filename for both inline and attachment. This is different from the normal use of disposition (where inline does not allow you to specify a filename).



Example

Here's a simple example that sends an encrypted e-mail to me: 

DECLARE
    ROW_ID BINARY_INTEGER;
BEGIN
    SAVEPOINT OOPS;
    ROW_ID:=HTTP.SP_CRON_INSERT
    (
        PROCNAME       => 'HTTP.SHOW_COLORS'
    ,   TITLE          => 'Show Colors'
    ,   EMAIL          => 'xxxxx.xxxxxxx@xxx.xxx'
    ,   CC             => NULL
    ,   BCC            => NULL
    ,   SENDER         => 'xxxxx.xxxxxxx@xxx.xxx'
    ,   PRIORITY       => NULL
    ,   SCRIPTNAME     => NULL
    ,   FORMAT         => 'SUPPRESSED'
    ,   FILTER         => NULL
    ,   CONTENTTYPE    => 'application/x-pkcs7-mime'
    ,   DATENAME       => 'ONCEONLY'
    )   ;
    IF (ROW_ID != -1) THEN
        COMMIT WORK;
    ELSE
        ROLLBACK TO SAVEPOINT OOPS;
    END IF;
END;

Example

Here's the same example that specifies disposition as an attachment: 

DECLARE
    ROW_ID BINARY_INTEGER;
BEGIN
    SAVEPOINT OOPS;
    ROW_ID:=HTTP.SP_CRON_INSERT
    (
        PROCNAME       => 'HTTP.SHOW_COLORS'
    ,   TITLE          => 'Show Colors'
    ,   EMAIL          => 'xxxxx.xxxxxxx@xxx.xxx'
    ,   CC             => NULL
    ,   BCC            => NULL
    ,   SENDER         => 'xxxxx.xxxxxxx@xxx.xxx'
    ,   PRIORITY       => NULL
    ,   SCRIPTNAME     => NULL
    ,   FORMAT         => 'SUPPRESSED'
    ,   FILTER         => NULL
    ,   CONTENTTYPE    => 'application/x-pkcs7-mime'
    ,   DISPOSITION    => 'attachment;filename="colors.html"'
    ,   DATENAME       => 'ONCEONLY'
    )   ;
    IF (ROW_ID != -1) THEN
        COMMIT WORK;
    ELSE
        ROLLBACK TO SAVEPOINT OOPS;
    END IF;
END;

noteYou want to specify disposition so that your e-mail client knows how to interpret your encrypted email.


Sybernet and LDAP

Sybernet retrieves certificates from an LDAP server. That means your LDAP server must be defined through the Sybernet Utility. You cannot send encrypted e-mail to anyone that is not defined in your LDAP server. If you attempt to send an e-mail to anyone that is not defined in LDAP, you (or they) will get a nasty error message saying that e-mail could not be encrypted. You will have to edit your list of recipients before an encrypted e-mail can be sent. This also means you cannot send encrypted e-mail to an e-mail exploder, but you can send encrypted e-mail to an alias (or group) in Sybernet. For more information about aliases (groups) in Sybernet, please refer to the document about the Sybercron Register.

Sybernet retrieves your certificate from an LDAP server. It does this by calling ldapsearch which you define from the Sybernet Utility. You can specify any number of LDAP servers and the path to ldapsearch is unique to each. That means you can create your own ldapsearch and retrieve certificates from any place you want as long as you have access to the Sybernet Utility and can create your own executable from this host.

I wrote my own version of ldapsearch. It is a c-shell script. It pretty much does the same thing as the real ldapsearch except that I can retrieve certificates from anywhere I want. What this means is you can can send encrypted e-mail to any outside vendor--it does not have to reside in a real LDAP server--as long as you have their certificate. The current version expects the certificate to exist in LDIF form, contains their e-mail address in its filename (xxxx.xxxxxxx@xxx.xxx), suffixed by ldif (xxxxx.xxxxxxx@xxx.xxx.ldif), and placed under $SYBERNET/data. Here is what my certificate looks like in this directory: 

dn: uid=xxxxx,ou=xxx xxxxxxxxxx,o=xxx xxxxxxxxxx,c=xx
usercertificate;binary:: MIIElTCCA/6gAwIBAgIQBDIaYyHJ/s1idt3GCoplNTANBgkqhkiG
 9w0BAQQFADCB2DELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEVNSSSBJbnRlcm5hdGlvbmFsMR8wHQYD
 VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0
 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwMjEwMC4GA1UECxMnQ2xhc3MgMiBPblNpdGUg
 SW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBMR0wGwYDVQQDExRTUkkgSW50ZXJuYXRpb25hbCBDQTAe
 Fw0wNzA1MDkwMDAwMDBaFw0wODA1MDgyMzU5NTlaMIHqMRowGAYDVQQKFBFTUkkgSW50ZXJuYXRp
 b25hbDEoMCYGA1UECxQfSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTZXJ2aWNlczFGMEQGA1UECxM9
 d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQo
 Yyk5OTEcMBoGA1UECxQTRW1wbG95ZWVJRCAtIEUxNDU2ODEWMBQGA1UEAxMNRGVuaXMgV29ya21h
 bjEkMCIGCSqGSIb3DQEJARYVZGVuaXMud29ya21hbkBzcmkuY29tMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQDWhs7WFkC0c667HIFZXLU2LwmmPLrpyXkjCj9k3zq3MuMxJocSBvCUouxvWfHM
 G1/BGi3npSwQ8BTODAUa4xB7YGKn1E9EQPAdC1BZImezpHf0CUR7NdwjDsqv5fn/FeUfL51ERLje
 WIIbyeXgy0TBK2gp6PL4pzmKiQri0Gey1wIDAQABo4IBSjCCAUYwCQYDVR0TBAIwADCBrAYDVR0g
 BIGkMIGhMIGeBgtghkgBhvhFAQcXAjCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNp
 Z24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWdu
 J3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wCwYD
 VR0PBAQDAgWgMBEGCWCGSAGG+EIBAQQEAwIHgDBqBgNVHR8EYzBhMF+gXaBbhllodHRwOi8vb25z
 aXRlY3JsLnZlcmlzaWduLmNvbS9TUklJbnRlcm5hdGlvbmFsSW5mb3JtYXRpb25UZWNobm9sb2d5
 U2VydmljZXMvTGF0ZXN0Q1JMLmNybDANBgkqhkiG9w0BAQQFAAOBgQAkXQyCgqHjsJrkn62dZPrU
 xqeCQCj04lWZoGVCpaog0ZN8E7S61Qh0YTKE1SRfmkucwbfOknUTmHiia7DaCvU0CtFZiSPZZKQv
 w48110U+VsaZi8rworms5zQtlbN5ztytaOe+X4jcAIGF088Ij3dsTilJlSGxm4UHyyNjYNyvzA==

My version of ldapsearch resides under $SYBERNET/bin. You can roll your own and define another copy of ldapsearch or you can modify my version to make it do what you want it to do.

Example

The following example illustrates how you would define an LDAP server through the Sybernet Utility:

Example

The following example illustrates how you might define your own version of ldapsearch. Note that USERNAME isn't defined nor is it included in the ldif file. Note that BASEDN is required by the Sybernet Utility, but was given a bogus value here because it is otherwise unused. Remember, I wrote my own version of ldapsearch so I can accept or ignore any parameters I want. In this example I am also using HOSTNAME as the path to the folder containing our ldif files.

Example

The following example illustrates how you can send encrypted e-mail with the Sybercron Register:


See Also

SP_CRON_INSERT
SP_HTML_CRON_REGISTER
Sybernet Sybercron
Sybernet Utility



Sybernet is a trademark of SRI International.
Copyright © 1996-2008 SRI International. All Rights Reserved.
Denis D. Workman / http://Sybernet.sri.com/