Join us on LinkedIn Read our Blog

Isode R15.1 - Major Changes and Improvements

R15.1 is the current release. R15.1 was preceeded by R15.0.

This page summarizes new features in Isode's R15.1 release. Features have been broken down into the following sections:

  1. Messaging
  2. Directory
  3. XMPP
  4. Preview Release: Security Label Server

Messaging

New messaging capabilities include:

  • Message Correlation in MConsole. R15.0 added audit logging and audit database support for delivery reports (SMTP DSNs and X.400 DRs) and read receipts (SMTP MDNs and X.400 IPNs). MConsole now provides correlation capabilities to make use of this information. Tracking view has been extended so that it can search for messages, delivery reports, and read receipts. This view provides correlation, so that you can see delivery reports and read receipts associated with a message.
  • A new "Acknowledgements" view has been added, to enable tracking of different types of acknowledgement. The primary goal of this view is to enable real time tracking of errors and “missing” acknowledgements. The expected time (after which acknowledgements are considered missing) can be configured for delivery reports and read receipts, dependent on message priority (standard and military).
  • Acknowledgement Correlation problem alerting. A new QoS Daemon has been added, which monitors for "missing" acknowledgements. Any problems found can be emailed to a configurable address. Isode event logging is also used, so that this information can be handled by Windows Events, Syslog, or SNMP and a file record is kept.
  • Microsoft SQL Server is now supported as an Audit Database option, as an alternative to the Postgres DBMS.
  • Clustered Audit Database Support. Audit Log processing and Isode tools can be configured with multiple database servers (Microsoft SQL Server or Postgres) and fail over between them.
  • X.400 Disaster Recovery. Changes have been made to M-Store X.400, to operate an off-site replica server using common (directory configured) user/mailbox setup. In the event of the primary server failing, operation can be quickly switched to the replica using the MConsole GUI. This can be used in conjunction with redundant M-Switch configuration and M-Vault disaster recovery to provide a full off site X.400 disaster recovery configuration.
  • ACP 145 support. ACP 145 is an MMHS profile for connecting between nations. M-Switch can now act as an ACP 145 gateway, converting between ACP 145 profile and national standards which can be STANAG 4406 or S/MIME (using MIXER conversion). The primary technical change to enable this is M-Switch support for STANAG 4406 ed2 signing and verification.
  • DKIM signing. M-Switch can now sign SMTP messages according to DKIM (DomainKeys Identified Mail) specified in RFC 5585. DKIM signatures facilitate reputation analysis, which can be used to protect against SPAM and Phishing. We believe the DKIM may be useful for military messaging.
  • ACP 142 Management GUI. ACP 142 is used for constrained bandwidth messaging for STANAG 4406 and SMTP. As a consequence of operating over connectionless protocols, there are many parameters to set. The new UI takes high level parameters, such as link max speed, and sets the parameters to useful values so that the administrator does not need to be familiar with protocol details. See http://www.isode.com/support/acp-142-parameters.html
  • Password Encryption. M-Switch can configure various passwords in files on disks (e.g., a password for LDAP authentication). M-Switch has a mechanism to encrypt these passwords, including GUI setup. This mechanism is now applied to all the configuration files that M-Switch can use (previously it only applied to some).
  • Anti-Virus GUI. Anti-Virus checking for SMTP and X.400 can now be easily configured from MConsole.
  • Security Label Display in MConsole. MConsole can show the security labels of X.400 and SMTP messages in transit, and of archived messages.
  • XUXA enhancements to display useful message envelope items not previously shown (content type; redirection history; trace).

Directory

The M-Vault server has some performance enhancements, but no new features. There are a number of management tool enhancements.

  • Sodium as a separate product. We are now packaging Sodium independently so that it will be available as a product for data and PKI management against directories other than M-Vault. Sodium can run with its own license against any directory, or without a license against an M-Vault server.
  • Replication Monitoring in M-Vault Console. M-Vault Console can now monitor replication agreements, providing a GUI display of status of all replication agreements in monitored servers.
  • Isode events from replication monitoring. M-Vault Console creates Isode events when it detects replication errors. This enables any supported event log mechanism (Windows Event, Syslog, SNMP) to provide operator alert of errors without use of the M-Vault Console GUI.
  • Solaris Service support. M-Vault can now be managed as a Solaris Service in M-Vault Console, MConsole and M-Link Console.
  • Password Management in Sodium. Sodium now provides improved support for changing password both of the current user and other users.
  • Sodium PKI View. The PKI view used in Sodium CA, which shows only PKI information in the directory, is now available in Sodium. This gives a clean directory view for managing PKI information.
  • Collective Attributes can now be managed in Sodium.
  • Improved Sodium Tab Layout for People and Roles. A number of changes have been made to the default Sodium tab layout, particularly to bring the most useful attributes onto the front tab. The front tab for people and role entries is now focused on security attributes (X.509 Certificate, Security Clearance, Password) and attributes relevant to communication applications (mail, XMPP).
  • Access Control Groups in Sodium. People and account entries now have a tab showing which Access Control groups a user belongs to.
  • Sodium can now be configured to use (per bind profile) a security policy configured in an SIO directory entry, decoupling security policy from the directory server it is bound to.
  • Server to Server data confidentiality. M-Vault Console can now easily set up a server to listen on ITOS which enables TLS to be used with the X.500 protocols, and to configure use of TLS for chaining and replication.
  • Data confidentiality for X.500 DAP. X.500 DAP can now be easily configured in Sodium and M-Vault Console connections to M-Vault to use TLS.

XMPP

New capabilities in the M-Link server include:

  • M-Link Server can now be configured as HF Operator Chat gateway operating over STANAG 5066, so XMPP users can communicate with servers that support HF Operator Chat, but do not support XMPP operation over STANAG 5066.
  • Encryption of passwords in configuration (in particular any password used for LDAP directory authentication).
  • Presence stripping, so that constrained bandwidth links do not need to share presence updates.
  • Can be configured to leave out "FLOT" security labels, when the label is the default value.
  • Enable configuration of Security Policy (SPIF) by reference to a SPIF directory entry, rather than inclusion of the full SPIF. This enables easy SPIF sharing between M-Link servers and other products.

There are a number of XMPP management enhancements in M-Link Console including:

  • More M-Link server configuration options available in M-Link Console, so that most core M-Link configuration can now be done in M-Link Console.
  • Multi-Domain Configuration in M-Link Console, so that it is easy to set up additional supported IM domain and MUC domains.
    M-Link Cluster Configuration from M-Link Console.
  • Configuration of M-Link Server's archive and telemetry logs paths from M-Link Console.

Preview Release: Security Label Server

A preview release of Security Label Server, a new Isode product, is provided in R15.1. This provides a lightweight protocol which gives any application an easy mechanism to look up Security Labels. These are filtered based on clearance of a set of parties specified by the client, so that only appropriate Security Labels are offered. Management of Security Labels and Security Label Catalogs is handled by Sodium against M-Vault. Security Label Server capabilities include:

  • Fetch Security Policy (SPIF)
  • Create XEP 258 security label from ESS/X.411 label
  • Fetch default security label
  • Fetch XEP 258 security label catalog
  • Check security label authorization

There is a demonstration client implementation along with SIO-Label: support in a Thunderbird extension available from SMHS. This can be used to test Security Label Server.